Adobe Flash vulnerability closed, ending free Amazon movie downloads [UPDATED]
Reuters explains how the mechanisms behind Amazon's Flash-powered video store allow entire movie streams to be captured.
Update 9.29.08: Almost immediately following the exposure of the vulnerability, Amazon reportedly converted its entire collection of streaming content to Adobe's encrypted RTMPE protocol -- many had previously used the unencrypted RTMP variety -- effectively closing the loophole.
Reuters has revealed a security flaw in Adobe's online video playing Flash software, one that allows readily-available software to capture full-length movies from Amazon's Video on Demand service. Testing by the international news wire showed that programs such as Replay Media Capture, designed to make local copies of YouTube or other web-hosted videos, are capable of copying an entire streamed film from Amazon once its free two-minute preview has begun playing. Because Amazon wants paying customers to be able to watch their purchases as quickly as possible, that two-minute preview is really the first two minutes of the full, unencrypted stream -- allowing films to be watched sooner than if the previews were dedicated files, but also allowing video capture programs to continue copying the data on the back end even after the player has stopped showing footage on the front end. It remains to be seen if either Amazon or Adobe will institute technological changes to thwart this now-widely-known loophole. Originally published on Sunday, September 28, 2008 at 11:31AM.
Get more information on topics relating to this story:
- Related glossary terms:
- Video on demand
- Related brand news:
- Adobe Flash
- Related devices and services:
- Adobe Flash Player
Sony PS3 Slim image gallery
Comments (5)
Add a comment Inappropriate or promotional comments may be removed.
Francis Lukesh
(8:34 PM on Sun Sep 28, 2008)
Flash Player has had the critical flaw of not being able to cancel HTTP requests for years. This causes all kinds of problems for Flash / Flex developers across the board, not only for media streaming applications. Adobe has finally implemented a fix in Flash Player 10--which should be out of beta in the next few weeks--that allows the developer to actually cancel a request and stop the stream. The development community has been bringing this to Adobe's attention for years, and why it has only yet to be addressed is beyond me--it seems so basic. It isn't a great idea to use the actual full-length media for a preview versus creating a separate preview version, but this flaw makes it extremely easy to grab any file that Flash requests.
Evan Blass (9:09 PM on Sun Sep 28, 2008)
Great info, thanks for contributing :)
Stephen Schenck (11:30 PM on Sun Sep 28, 2008)
I don't think this is really much of a problem. If someone's in the mindset to pirate a film, this is probably the worst way to do it. Why would someone who was going to break the law anyway jump through hoops to snag a proprietarily flash-compressed video when he or she could pull a full DVD image off Usenet?
Evan Blass (8:16 AM on Mon Sep 29, 2008)
Primarily because movie studios track that sort of illegal behavior, while this capture method is in a much grayer area in terms of legality.
CHRIS (8:15 AM on Fri Nov 14, 2008)
now that replay media capture doesnt work with flash10, I guess I will go back to Jaksta, that still works