Asked about the vulnerability, a Google spokesman told WIRED that they’re examining the issue closely, but he also downplayed the bug, saying the problem is not exclusive to Chrome and could apply to any browser created from Chromium, the open-source code from which Chrome is derived.
“Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths,” the spokesman wrote WIRED in an email.
What he meant is that the hijacking problem has long been known and that even if Google were to add code that forces the CDM to operate in a different way, other browsers that developers might compile from the Chromium could eliminate this code, leaving streaming content just as vulnerable and therefore not solving the problem of content hijacking.
The lab researchers say Google’s response is baffling. Just because other developers could produce a different browser that doesn’t incorporate more secure measures, doesn’t mean Google shouldn’t fix the problem in its own Chrome browser.
“[A] vulnerability in the product of Google which is distributed by Google, and users and [movie] studios expect to be secure, should be highly prioritized and fixed to prevent theft of protected content,” says Dudu Mimran, CTO of the lab in Israel where one of the researchers works.
Livshits and Mikityuk found the bug about eight months ago. It’s apparently existed ever since Google embedded the Widevine technology in its browser, though it’s not clear when that occurred. “The way the vulnerability works, it makes sense that it existed from the early days,” says Mimran. The tech giant acquired Widevine in 2010 to secure Chrome streams and premium YouTube channels. Widevine is also embedded in more than 2 billion devices that play protected content, according to its web site.
Firefox and Opera also use the Widevine CDM, though the researchers haven’t examined those browsers yet. They limited their research to the desktop version of Chrome. Neither Safari nor Internet Explorer use Widevine. Safari uses Apple’s FairPlay CDM, and Microsoft’s Internet Explorer and Edge browsers use Microsoft’s PlayReady CDM. The researchers haven’t examined those CDMs yet.
It’s not the first time flaws have been uncovered in a digital rights management system. In 2001 Russian programmer Dmitry Sklyarov discovered vulnerabilities in the encryption system Adobe used for protecting electronic books produced with Adobe Acrobat. That same year a group of researchers found flaws in the digital watermarking technology created by the Secure Digital Music Initiative, a consortium of recording companies and consumer electronics firms, to thwart piracy.
But the Chrome vulnerability is different in that it involves a third-party system that streamers are trusting to protect their valuable content.
“The simplicity of stealing protected content with our approach poses a serious risk for Hollywood [studios] which rely on such technologies to protect their assets,” Livshits says. Though the researchers have no way of knowing if this hole has been used in the real world, it shows that the battle to fight piracy continues on ever shifting territory.