Google's Widevine DRM doesn't quite manage

Israeli researchers find local cache of decrypted content


Google's much-trumpeted Widevine digital rights management (DRM) system has the kind of hole that gives content owners nightmares: users can access local, decrypted versions of protected content.

Ben-Gurion University PhD student David Livshits has unearthed the issue and published a proof-of-concept, but is waiting for Google to plug the hole before publishing the details.

From his proof-of-concept video it looks like Livshits found a local decrypted cache version of the CDM (content decryption module)-protected content.

The Widevine vulnerability, the university says, has been tested "successfully and consistently" on different Chrome versions, against Netflix and Amazon video services.

The university hints that other DRM schemes might be similarly vulnerable, with lecturer and researcher Dr Rami Puzis quoted as saying: "We hope that disclosure of this vulnerability will urge other DRM vendors to re-evaluate the security of their products and provide additional layers of defence."

The bug has been reported to Google, and the university says details will be released once Mountain View has pushed out a fix. ®

Youtube Video


Keep Reading

Open Source Vulnerabilities database: Nice idea but too many Google-shaped hoops to jump through at present

Hands On Google Cloud Platform account required, API key comes with Ts&Cs

How good are you at scoring security vulnerabilities, really? Boffins seek infosec pros to take rating skill survey

Real-world CVSS figures are a little variable, or so these folks reckon

Infosec bod: I've found zero-day flaws in Tor's bridge relay defenses. Tor Project: Only the zero part is right

Warnings either not new or need more study, reckons open-source dev team

Just 2.6% of 2019's 18,000 tracked vulnerabilities were actively exploited in the wild

So says Kenna Security in a refreshing piece of counter-FUD analysis

Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild

Patch Tuesday Android, Adobe, SAP, Red Hat join the bug-busting party

Microsoft emits 83 security fixes – and miscreants are already exploiting one of the vulns in Windows Defender

Patch Tuesday Redmond keeps us hanging with on-premises Exchange flaw still to be fixed

How do you fix a problem like open-source security? Google has an idea, though constraints may not go down well

'Try telling leaders of libpng, libjpeg-turbo, openssl, ffmpeg etc they can't make "unilateral" changes to their own projects'

Tor soups up onion sites with bountiful browser bump: No more tears trying to find the secure sites you want

Latest Tor Browser iteration makes the dark web a bit more memorable

Biting the hand that feeds IT © 1998–2021