Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Chrome Google Piracy Entertainment

Chrome Bug Makes It Easy To Download Movies From Netflix and Amazon Prime 128

A vulnerability found in Chrome by researchers allows people to save copies of movies and TV shows from streaming websites such as Netflix and Amazon Prime. From a Gizmodo report:The vulnerability, first reported by Wired (Editor's note: Wired blocks adblockers), takes advantage of the Widevine EME/CDM technology that Chrome uses to stream encrypted video from content providers. Researchers David Livshits from the Cyber Security Research Center at Ben-Gurion University and Alexandra Mikityuk of Telekom Innovation Laboratories discovered a way to hijack streaming video from the decryption module in the Chrome browser after content has been sent from services like Netflix or Amazon Prime. The researchers created a proof-of-concept (which is currently the only evidence of the exploit) to show how easily they could illegally download streaming video once CDM technology has decrypted it.Google was notified of the bug last month but is yet to patch it.
This discussion has been archived. No new comments can be posted.

Chrome Bug Makes It Easy To Download Movies From Netflix and Amazon Prime

Comments Filter:
  • If this gets out in the wild, there will be a bunch of new netfllix subscribers...

    • Re: (Score:3, Informative)

      I am a Netflix subscriber. When I VPN into my work network my computer goes through a US proxy and I get the more featured US Netflix. If tool came out I would love it because I could download the show, and then watch it later through my media player.
      • by Anonymous Coward

        You know, I still can't figure out why they block using IPs instead of billing data. Netflix (at the behest of MAFIAA companies) has been very aggressive about blocking VPNs [slashdot.org]. They've even blocked IPv6 [slashdot.org] because they can't figure out how to geocode the IPs. Meanwhile, many thousands of users like you and me can log into a private/corporate VPN that Netflix doesn't readily identify as being a VPN, and everything is unlocked. I have a $10/month VPS in a Dallas datacenter I use for all kinds of stuff, among which

        • by tepples ( 727027 )

          If you're paying for your account with a US credit card billed to a US address, you should get US content when you login to Netflix no matter what your IP address is.

          That would be correct if the license from the movie studio were "You may perform this motion picture to users who are tax resident in this area." But it isn't. Instead, it is "You may perform this motion picture in this area."

          • by Anonymous Coward

            That would be correct if the license from the movie studio were "You may perform this motion picture to users who are tax resident in this area." But it isn't. Instead, it is "You may perform this motion picture in this area."

            I believe my fellow AC's point was that the existing method of geocoding IPs is already insufficient for fulfilling the requirement of "you may perform this motion picture in this area", and that basing it off of billing data will be much more effective at doing just that, even though it does do it in a round-about, indirect method.

            Though I will concede that the problem is likely that Netflix would first need to convince the dinosaurs over at the MPAA that restricting based on billing data will be more li

            • Which is more likely to be accurate for someone whose billing address is in one country but is visiting another country on vacation or a business trip? The license prefers counting the play toward the revenue for the regionally exclusive distributor for the country in which the person is traveling, not that for the person's home. It's conceptually like visiting a movie theater while traveling.

        • by SQLGuru ( 980662 )

          People near the borders (or people looking to make a few bucks) would drive across and buy a local pre-paid card (and possibly even a Mailboxes Etc. type address) to get the content of a nearby country. They could easily sell the cards and/or the billing address to others in their country.

        • It's all about detering the 80%-90% people just like what Microsoft did with Windows (95, 2000, XP etc.)
          Heck, while Windows was a matter of entering a known CD key or downloading a volume licensed version, the VPN solution for Netflix doubles your monthly bill so you need both technical ability and a willingness to pay.

          Going after the biggest VPNs (e.g. let's say public ones with more than 100 Netflix users) is like Windows activation, sort of a show stopper although it was just one more step that was never

    • by lgw ( 121541 )

      I hadn't thought of the benifit this will have for Netflix. My first take was: Chome "bug" makes it easy to download videos from Google's competitors. This really helps those guys, though, unless it lasts long enough that the content owners start getting pissed at Netflix (not sure how much it matters to Amazon's "purchase" model).

      • Or people get a free 14 day trial and then quit after downloading everything they'd ever be interested in watching.

    • by flyingfsck ( 986395 ) on Friday June 24, 2016 @11:53AM (#52382623)

      For real operating system users:
      ffmpeg -f x11grab -r 25 -s cif -i :0.0 out.mpeg

      For toy operating system users:
      install uscreencapture dshow filter, then ffmpeg -f dshow -i video="UScreenCapture" out.mp4

      You are welcome.

      • by Anonymous Coward

        For real operating system users:

        ffmpeg -f x11grab -r 25 -s cif -i :0.0 out.mpeg

        For toy operating system users:

        install uscreencapture dshow filter, then ffmpeg -f dshow -i video="UScreenCapture" out.mp4

        You are welcome.

        Real operating system doesn't need graphics, peasant.

      • by tepples ( 727027 )

        install uscreencapture dshow filter

        Does that even work if a player application that uses Protected Media Path [wikipedia.org] is running?

      • by Anonymous Coward

        Isn't that going to result in horrible sampling-frequency related tearing / juddering? When we used to do this with PowerDVD back in the nineties, I think the capture process somehow slaved the playback process to it to prevent synchronization issues..

    • by Anonymous Coward

      This is how the it should be classified in their bug-reporting system:

      Wontfix: notabug

  • by Anonymous Coward

    LOL!!!!

  • by Anonymous Coward on Friday June 24, 2016 @11:07AM (#52382225)

    It's a feature!

    • by TroII ( 4484479 )

      That's probably why it hasn't been fixed yet, maybe the Google employees working on Chrome like using the feature themselves.

  • by downright ( 1625607 ) on Friday June 24, 2016 @11:12AM (#52382261)

    DRM will always fail.
    If it is on a screen or through a speaker
    I can capture and re-feature
    So spend your money and waste your time
    I want media I buy to be mine
    I can watch it on a tv
    I can watch it on a phone
    I can watch it in a car
    I can watch it at home
    I know to this you are appalled
    But any other way and we don't want it at all.
     

    • by Ormy ( 1430821 )
      Love it. Mod-up.
    • DRM will always fail.

      Serious question: How has HDMI with HDCP failed?

      Yes, it's succeeded in annoying users (with products that don't always sync properly, and heck, taking longer to change inputs on one's TV due to the delay).. But hasn't it succeeded in (unfortunately) getting rid of the "analog hole"?

      • You can video the TV and capture the audio. You can screen capture the DVD from any computer. How does HDMI stop piracy? It doesn't. The people selling the specification merely pretend it does. I like HDMI by the way. Fewer cables... it just doesn't stop piracy. Not even a little.

        • But those are all "poorer copies".

          I'm still saying I don't think it's good, because of the user facing syncing issues and such.. I just think that it's succeeded _at what they attempted to do_.

          HDMI != HDCP.

      • by jabuzz ( 182671 )

        Didn't even get rid of the digital hole. The moment the master HDCP 1.x key was reverse engineered and leaked out it was game over. You can go on eBay and buy a cheap standalone box that will record a HDCP encrypted stream to an H264 encoded MP4. Sure some loss of quality but way better than an analogue hole.

  • In the Case of Prime (Score:4, Interesting)

    by twmcneil ( 942300 ) on Friday June 24, 2016 @11:15AM (#52382293)
    This should be called a feature. Netflix advertises itself as a streaming service. Amazon Prime claims that you can "own" the movie. Problem is Prime is still just a streaming service. It's false advertising and the reason I don't use Prime for movies. If I "buy" a movie, I expect to be able to d/l to a portable drive so I can watch it when I don't have a data connection. If I subscribe to streaming service, I won't have that expecation.
    • by Stealth Dave ( 189726 ) on Friday June 24, 2016 @11:39AM (#52382511) Homepage

      Amazon Prime claims that you can "own" the movie. Problem is Prime is still just a streaming service. It's false advertising and the reason I don't use Prime for movies. If I "buy" a movie, I expect to be able to d/l to a portable drive so I can watch it when I don't have a data connection. If I subscribe to streaming service, I won't have that expecation.

      I think you mean Amazon Video, the division that sells content for download and purchase, not Amazon Prime which actually is a streaming service similar to Netflix. However, by this definition, you are buying movies from Amazon Video; not just streaming. Any video content that you purchase from Amazon can be downloaded to your Android or iOS device (including an external microSD Card in the case of the former) with the Amazon Video app for later playback offline; no data connection required. We do this regularly to watch movies from Amazon while on a flight, in a car with no wifi, etc. You can even download Amazon Prime video (which you do not own) and play it offline for a certain period of time, which I believe is 30-45 days from the time of download; quite reasonable for content that you do not own, IMO.

      What you cannot do is play it back on any device with a player of your choice. Amazon Video, just like Apple's iTunes, Google Play, Vudu, UltraViolet partners, etc., places DRM on all content that they sell, and it will only play on authorized devices and software.

      - Stealth Dave

    • This should be called a feature. Netflix advertises itself as a streaming service. Amazon Prime claims that you can "own" the movie. Problem is Prime is still just a streaming service. It's false advertising and the reason I don't use Prime for movies. If I "buy" a movie, I expect to be able to d/l to a portable drive so I can watch it when I don't have a data connection. If I subscribe to streaming service, I won't have that expecation.

      I get what you are saying but you are not describing Amazon Prime, which features a streaming video service and no claims of ownership. You are describing "Amazon Video," the option which allows you to "buy" or rent videos to stream to your computer or other devices.

  • Repeat after me... (Score:4, Informative)

    by kju ( 327 ) on Friday June 24, 2016 @11:16AM (#52382305)

    DRM does not work. There will always be a way around it.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Some people believe that one day they'll figure out how to let you listen to something without you being able to record it, or show you something without you being able to take a picture of it.

    • by Gr8Apes ( 679165 )
      If you can see it or hear it, it can be copied. Always.
      • by tepples ( 727027 )

        If you can see it or hear it, it can be copied. Always.

        Then perhaps this Widevine breach benefits video game distributors at the expense of noninteractive video services such as Netflix and Amazon Prime. You can't see or hear video game rules; you must instead infer them from the picture resulting from their application.

    • DRM only affects legitimate customers. DRM is the first thing removed from the pirated copies. And yes, I'm one of those guys who pirated something, liked it, bought the box set, and still pirates it because FUCK CHANGING DISCS
    • Not once they deliver the content directly to your brain with DNA locked injection modules. Oh, and make all other forms of analog content illegal.

      Think it can't happen? Remember how AT&T operated their network up until the 1990s?

  • (Editor's note: Wired blocks adblockers)

    Only in a really poor way apparently. I have an ad-blocker and can get to the link just fine.

  • whut evvar (Score:3, Informative)

    by cellocgw ( 617879 ) <cellocgw&gmail,com> on Friday June 24, 2016 @11:25AM (#52382401) Journal

    And nearly all that content can be accessed faster and more easily via kat or piratebay.

    bfd, really

  • by Lumpy ( 12016 ) on Friday June 24, 2016 @11:29AM (#52382435) Homepage

    Netflix Disc subscription... MakeMKV + handbrake. end up with far FAR better quality rips and 100% undetectable by the copyright police.

    • by Gr8Apes ( 679165 )
      Honestly, with several hundred discs in my library, I only have Netflix for recent movies I only want to see once, with some others I may have interest in. In the past year I'd say at least 20% of the movies I've gotten have been so bad I didn't even watch the whole thing. I'm suspecting my tolerance for uninspired movies has dropped significantly though. (and no, the twilight series was never in my queue, so you can cross those off the rejection list)
      • by Lumpy ( 12016 )

        many I rip to watch later and then delete. I honestly love the ripped movie as it starts now. while the raw Bluray takes forever with all the forced adverts. and "you are evil, dont download a car, etc...."

        • by Gr8Apes ( 679165 )

          while the raw Bluray takes forever with all the forced adverts. and "you are evil, dont download a car, etc...."

          What are those things? Honestly, I think my BD player has seen maybe 8 disks in however many years since I got it with the prior TV. Even my HD-DVD player has only ever seen a handful of disks.

        • by allo ( 1728082 )

          Which is solved with netflix as well.

    • I found this out only after renting a Blu-Ray from netflix and realizing Windows 8.1 and Windows Media Player didn't come with the ability to play Blu-Ray.

    • by Anonymous Coward

      Until you post about it in public, that is.

    • Just use MKVs, MKV is great. VLC and Plex use it, that's all you need.
  • by Anonymous Coward

    Yet another headline written by people who don't know how the Internet works.

  • by luis_a_espinal ( 1810296 ) on Friday June 24, 2016 @11:34AM (#52382479)

    Chrome Bug Makes It Easy To Download Movies From Netflix and Amazon Prime

    When it comes to Amazon Prime, I like this bug... err feature. Owning content that can't download? I was a sucker when I bought a few things that I could have gotten on DVD. Never again.

  • by Opportunist ( 166417 ) on Friday June 24, 2016 @11:52AM (#52382615)

    For the first time ever "it's not a bug, it's a feature" is actually true.

  • Is a single example produced by researchers really "easy"?

    Would that qualify as making downloads "easy"?

  • if Netflix had anything worth watching more than once in their streaming catalog.

    Netflix seems to be the B movie depository these days.

  • This one definitely qualifies for the term, "it is not a vulnerability, it is a feature". I don't see any harm by being able to record shows on my machine.

  • Publicizing flaws in deployed DRM schemes only increases the pressure from Hollywood to deploy stronger, more user-hostile schemes. Please don't do it.

  • I can understand the convenience of Netflix. I can understand an ethical point of view against torrenting / piracy. What I can't understand is people paying Netflix and exploiting a bug to capture a netflix stream, when that content is already easily available via torrent. Why would you bother to do that?
    • by jabuzz ( 182671 )

      Because downloading a torrent is a public viewable operation. Where as capturing the stream on your browser just looks like normal legitimate viewing and far harder to trace. Therefore there is far less chance the copyright police are going to send nasty letters asking you to settle out of court for a not inconsiderable sum of money.

  • As all DRM: If you give me the encrypted content and all i need to show it (decryption code and somewhere hidden inside the key), i will be able to decrypt it. No surprise.

    But next:
    Hollywood will demand the nightmare DRM. While w3c said "EME is harmless, you run the CDM in a sandbox", the movie companies will demand the CDM to be run with admin privileges to check the integrity of your video driver. And when it's established, there's nothing stopping them adding code to scan for clonecd and other signs you

C for yourself.

Working...