Researchers Discover DRM Vulnerability with Google Chrome

Security researchers have recently released their discovery of a vulnerability in Google’s Chrome browser which can be used to bypass built-in digital rights management (DRM) security.

DRM functionality is included natively in modern browsers via “Encrypted Media Extensions” enabling the playback of encrypted video and audio content using HTML5 without the need for plugins such as Flash® or Silverlight®. This feature exists as a means of curbing piracy by allowing only authorized users to play protected premium content in the browser while reducing the security and performance issues associated with plugins.

To facilitate playback of encrypted content in HTML5, a DRM-enabled player application is required which must utilize a browser’s built-in decryption system known as a Content Decryption Module (CDM). Different browsers utilize different CDMs, and as such, player applications can only be as secure as the CDM a browser supports.

Researchers from Ben-Gurion University in Israel and Telekom Innovation Laboratories in Germany uncovered a flaw which enabled them to save a decrypted version of streamed content to a computer’s disk drive played through a Chromium-based browser with Google’s Widevine CDM. Currently, the researchers have only experimented with Chrome for desktop and its default Widevine CDM system.

The method used to exploit the bug has not been publicly disclosed to prevent malicious use. However, a proof-of-concept video has been released demonstrating the Chrome browser vulnerability (using Creative Commons content). In this video the researchers have chosen to use our online video playback demo page.  We had created this page to solely demonstrate encrypted content playback of our DASH Everywhere cross-browser player as well as our multi-DRM licensing service, DRMtoday.

While we are pleased the researchers selected our easy-to-use demo to conduct their proof-of-concept, we would like to highlight that security vulnerabilities within browsers exist independently of our video playback products and services. Any player or DRM licensing solution is only as secure as the underlying technologies within the browser they are dependent on.

DRM modules in desktop browsers are in many cases software-based which does present security limitations compared to hardware-based implementations (which are much more difficult to compromise). Currently, however, software-based DRM implementations are the default option for most desktop browsers as hardware-based implementations need special chipset support only available on the latest desktop computers. Through our DRM and player solutions we support the detection of such hardware and optionally allow limitation of playback to such platforms.

The research team has notified Google directly about the Chrome security issue and is working with the company to address the vulnerability.

It is very beneficial when technology vulnerabilities are responsibly uncovered and software companies are properly notified, such as in this case, as this ultimately leads to greater playback security for the industry.

You can read more about the story on and via an article from Ben-Gurion University, where part of the research took place.

Contact us to learn more about our video player and DRM licensing solution features.


Posted by

Bryce Pedersen

Bryce Pedersen
Global Marketing Strategy

View more blog posts