Google's much-trumpeted Widevine digital rights management (DRM) system has the kind of hole that gives content owners nightmares: users can access local, decrypted versions of protected content.
Ben-Gurion University PhD student David Livshits has unearthed the issue and published a proof-of-concept, but is waiting for Google to plug the hole before publishing the details.
From his proof-of-concept video it looks like Livshits found a local decrypted cache version of the CDM (content decryption module)-protected content.
The Widevine vulnerability, the university says, has been tested "successfully and consistently" on different Chrome versions, against Netflix and Amazon video services.
The university hints that other DRM schemes might be similarly vulnerable, with lecturer and researcher Dr Rami Puzis quoted as saying: "We hope that disclosure of this vulnerability will urge other DRM vendors to re-evaluate the security of their products and provide additional layers of defence."
The bug has been reported to Google, and the university says details will be released once Mountain View has pushed out a fix. ®