Slashdot Mirror
Chrome Bug Makes It Easy To Download Movies From Netflix and Amazon Prime
A vulnerability found in Chrome by researchers allows people to save copies of movies and TV shows from streaming websites such as Netflix and Amazon Prime. From a Gizmodo report:The vulnerability, first reported by Wired (Editor's note: Wired blocks adblockers), takes advantage of the Widevine EME/CDM technology that Chrome uses to stream encrypted video from content providers. Researchers David Livshits from the Cyber Security Research Center at Ben-Gurion University and Alexandra Mikityuk of Telekom Innovation Laboratories discovered a way to hijack streaming video from the decryption module in the Chrome browser after content has been sent from services like Netflix or Amazon Prime. The researchers created a proof-of-concept (which is currently the only evidence of the exploit) to show how easily they could illegally download streaming video once CDM technology has decrypted it.Google was notified of the bug last month but is yet to patch it.
If this gets out in the wild, there will be a bunch of new netfllix subscribers...
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
... belong to the system running your code. Google can't prevent this without controlling both physical and logical access to clients. Sorry. If your code runs on my processor, I can tell it what to do (or not to do).
LOL!!!!
It's a feature!
So stop being the asshole who posts links to Wired.
Stop being the asshole who blocks ads/won't pay for a subscription.
DRM will always fail.
If it is on a screen or through a speaker
I can capture and re-feature
So spend your money and waste your time
I want media I buy to be mine
I can watch it on a tv
I can watch it on a phone
I can watch it in a car
I can watch it at home
I know to this you are appalled
But any other way and we don't want it at all.
If only their streaming collections weren't piles of excrement I might actually care but as it stands there's nothing worth watching on either service except for the few original series they produce that I can stream unlimited as a member anyway.
This should be called a feature. Netflix advertises itself as a streaming service. Amazon Prime claims that you can "own" the movie. Problem is Prime is still just a streaming service. It's false advertising and the reason I don't use Prime for movies. If I "buy" a movie, I expect to be able to d/l to a portable drive so I can watch it when I don't have a data connection. If I subscribe to streaming service, I won't have that expecation.
"The ferrets, they're every where I tell you!"
DRM does not work. There will always be a way around it.
Is it truly illegal, or just against terms of service.
And yes, I know you may say that the terms of service include not copying etc. However, illegality needs to be determined by law, and not contract. You may have a fair use exception for keeping the content longer than the brief time it is normally on your system.
Remember, video recording of over the air TV was considered "illegal" by movie studios until the courts in the US clarified it for them. (Which led to all those "losses" they suffered as the home video market took off and they profited.)
I'll get right on that, Mr. Conde Nast employer. Oh wait, what's the opposite of that?
(Editor's note: Wired blocks adblockers)
Only in a really poor way apparently. I have an ad-blocker and can get to the link just fine.
And nearly all that content can be accessed faster and more easily via kat or piratebay.
bfd, really
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
you had to have the paid subscription in the first place. call it what it really is, time and/or place shifting for people with shoddy internets, or quotas/throttles that are lifted during off-peak times, or for offline viewing.
you can tivo/dvr hbo, also a paid subscription, and end up with a drm-free near-hd quality (subject to how shitty the cable company recompresses the stream), and that is perfectly legal to do.. why should netflix or amazon prime video be any different?
Netflix Disc subscription... MakeMKV + handbrake. end up with far FAR better quality rips and 100% undetectable by the copyright police.
Do not look at laser with remaining good eye.
Mr. Conde Nast employee?
Yet another headline written by people who don't know how the Internet works.
Chrome Bug Makes It Easy To Download Movies From Netflix and Amazon Prime
When it comes to Amazon Prime, I like this bug... err feature. Owning content that can't download? I was a sucker when I bought a few things that I could have gotten on DVD. Never again.
Changing your user agent string to that of a web crawler easily defeats the ad-block blocker used by many websites like Wired and Forbes.
For the first time ever "it's not a bug, it's a feature" is actually true.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Is a single example produced by researchers really "easy"?
Would that qualify as making downloads "easy"?
-Styopa
stop being the asshole that corrupts ad networks with malware infested links and phishing campaigns and tracks users across 1000s of domains.
___
as for me, the wired link works fine. the adblock detection code must rely on javascript, which noscript dutifully ignores, and TFA is presented in its entirety, and without ads.
Wired works fine for me with uBlock Origin and uMatrix running. YMMV.
I don't block ads. I block services that track me across websites. Serve me ads that don't track me across websites, directly from a server whose FQDN ends in .wired.com, and I'll see them. But neither WIRED nor Forbes appears to be smart enough to set this up.
A lot of us would say, "That's a FEATURE, not a BUG!"
if Netflix had anything worth watching more than once in their streaming catalog.
Netflix seems to be the B movie depository these days.
Did they mean copy?
Which is more likely to be accurate for someone whose billing address is in one country but is visiting another country on vacation or a business trip? The license prefers counting the play toward the revenue for the regionally exclusive distributor for the country in which the person is traveling, not that for the person's home. It's conceptually like visiting a movie theater while traveling.
It's all about detering the 80%-90% people just like what Microsoft did with Windows (95, 2000, XP etc.)
Heck, while Windows was a matter of entering a known CD key or downloading a volume licensed version, the VPN solution for Netflix doubles your monthly bill so you need both technical ability and a willingness to pay.
Going after the biggest VPNs (e.g. let's say public ones with more than 100 Netflix users) is like Windows activation, sort of a show stopper although it was just one more step that was never intended to stop unlicensed Windows users, just prevent your uncle to install it (given that Internet access made finding a key trivial)
There's also some "plausable deniability" : pretend you don't know about all the VPNs, but show you do something about the ones you know. Thus the media licenseholders won't make a fuss and slashdot users can access the Netflix, which they pay for.
For something to be unlawful ("illegal") it needs to be in violation of a law or statute. There are no statutes prohibiting downloading anything. Clearly then it's not "illegal downloading."
A followup poster suggested that "Copyright law"... something something but no, downloading does not violate anyone's copyright. If it did you wouldn't be able to stream, make a temporary copy in your computer's cache, video GPU cache, etc.
Another poster suggested that the T&Cs form a contract between e.g. Netflix and the streamer which allows streaming but not downloading. This is probably the strongest argument in favor of "something wrong" but it's still not unlawful -- it's a civil contract dispute. Netflix terms are here: https://help.netflix.com/legal... and the relevant phrase is: ...content ...obtained from or through the Netflix service without express written permission from Netflix... "
"You agree not to archive, download (other than through caching necessary for personal use),
So in summary it's not unlawful. Nobody is breaking any laws. Copyright law isn't relevant here. What is relevant is a private agreement between Netflix and its subscriber, and if Netflix feels there's bee a breach of contract they can take it to arbitration (not court!) as per their same terms and conditions:
"If you are a Netflix member in the United States (including its possessions and territories), you and Netflix agree that any dispute, claim or controversy arising out of or relating in any way to the Netflix service, these Terms of Use and this Arbitration Agreement, shall be determined by binding arbitration or in small claims court. "
Did I mention that "downloading" is not an unlawful activity? ;)
Ehud Gavron
Tucson AZ
I wonder if Google will update Chrome on Windows XP, Vista, and OS X once this "bug" is fixed.
ROFLAMO
This one definitely qualifies for the term, "it is not a vulnerability, it is a feature". I don't see any harm by being able to record shows on my machine.
Publicizing flaws in deployed DRM schemes only increases the pressure from Hollywood to deploy stronger, more user-hostile schemes. Please don't do it.
This is not a bug but a feature.
Chrome is Google's browser. Eric Schmidt works for the Pentagon. They are saying listen Netflix do you want to battle with us?
https://en.wikipedia.org/wiki/Chromium_(web_browser)
This is the open source version. Chrome is not without connections to every known and unknown tracking mechanism of Google and the USA government.
Don't be gullible.
Been doing this for nearly 6 months and getting a nice collection of movies. And now you have to out it and blow it all away. Thanks.
I can understand the convenience of Netflix. I can understand an ethical point of view against torrenting / piracy. What I can't understand is people paying Netflix and exploiting a bug to capture a netflix stream, when that content is already easily available via torrent. Why would you bother to do that?
As all DRM: If you give me the encrypted content and all i need to show it (decryption code and somewhere hidden inside the key), i will be able to decrypt it. No surprise.
But next:
Hollywood will demand the nightmare DRM. While w3c said "EME is harmless, you run the CDM in a sandbox", the movie companies will demand the CDM to be run with admin privileges to check the integrity of your video driver. And when it's established, there's nothing stopping them adding code to scan for clonecd and other signs you might be a movie pirate (and not like in johnny depp).
Google should never have agreed to EME. They should have said fuck off, no flash, no silverlight no eme, just provide your streams or fuck off and try to sell discs.