Lots of things made our modern all-online, all-video era possible: Internet connections got faster, tech got cheaper, and so on. But the thing that made companies like Netflix, Amazon, and Hulu willing and able to become household names in TV is a little invisible: it’s the ability to keep you paying for content.
Streaming video is locked, and when you log in to access it, it’s hard to copy. Sure, piracy still exists, but modern DRM means it’s harder to do than it used to be, so tens of millions of folks pay for subscriptions instead. Unfortunately for the media companies, right now there’s a bug in one of the world’s most popular browsers that makes it fairly straightforward for anyone with a mind to do so to go in and yank all that juicy copyrighted material right out from under Netflix’s nose.
As Wired reports, a bug in the DRM system Google’s Chrome browser uses to let you stream video has basically opened a giant digital hole that lets you reach in and grab content illegally but effectively.
Instead of acting basically as a screen capture system, as the legal tools do, the security hole allows a user to more-or-less reach in and grab a decrypted movie as it streams. DRM is supposed to bridge that whole process, and Chrome does use a DRM system called Widevine to do just that. But the bug in Widevine basically creates a gap that the system doesn’t cover.
If you access that gap, you’re then recording data from a point in between the place where the browser says, “Hey, this stream of data is a video, we should decrypt and play it,” and where your eyeballs say, “Hey, there’s a video on this screen now!”
As Wired explains, the researchers who shared their findings with Google have not yet widely published their discovery, to give Google a chance to fix it first.
When Wired asked Google about the error, a spokesman told them that the company is looking into the issue but also pointed out that it’s not necessarily exclusive to Chrome. The base code from which Chrome is derived, Chromium, is open-source — meaning any other browser using it may share the same vulnerability, too.
That means that even if Google identifies and pushes a fix for Chrome as it now exists, similar vulnerabilities could persist in other, similar browsers, Wired explains. And the researchers who told Google about the bug say that’s just weird reasoning, and has nothing to do with reasons why Google should or shouldn’t fix their own browser pronto.
Meanwhile, the researchers gave Google 90 days to fix the bug before they shared. That was on May 24, which means that window closes on August 22.