My Profile Photo


Security, IoT, 3GPP, Programming, Finance, Economics, and Rants

Private Disclosure #4: Stealing from the Netflix of South India

Sometime during August 2015, I signed up for an account with a service which is very similar to Netflix, but for South Indian movies (predominantly Tamizh). The Interface felt fluid much like Netflix, and I could spot at least 5 nice UX things that I learnt from Rochelle King’s talk at Spotify HQ few years ago. I decided to poke around the backend to see what sort of security mechanisms they have got, to prevent users from Downloading or Hotlinking movies from the CDN.

After cuddling with Chrome Developer Tools for a while, I could see that they were using a basic setup from Akami. I’ve never played around with streaming video services, so it was a challenge for me. The goal was to see if there was a possibility to download a high quality movie directly from the CDN (Not from the local browser cache).

Game On

The webplayer received a set of index_x_av.m3u8 playlist files from the CDN, index_4_av.m3u8 being Highest Resolution and index_0_av.m3u8 being the lowest. Opening it up in VLC loaded the stream, but since my goal was to download the movie, I skipped the kid stuff. The index_x_av.m3u8 files had URLs to all the segments of the movie. A simple wget magic must do it right?


Since the URLs followed the same pattern throughout all the segments, I didn’t even need to parse the URLs from the playlist file. The below bash script generated URLs for all the segments of the movie, and attempted to download each segment.

echo "Generating Links..."
for i in `seq 1 1013`;
  echo ",.mp4.csmil/segment${i}_4_av.ts" >> links.txt
echo "Initiating Download.. Fasten your seat belts.."
wget -i ./links.txt

I watched it painfully wget download each segment at 40kbps. Good’ol Madras days eh. Bummer! It happens that Akamai slowed the crap down if you don’t have a regular browser user-agent set on wget. But that’s an easy fix, the one below fixed the issue, and I was able to get back to the first world speed.

wget -d --header="User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11" 
--header="Accept-Encoding: compress, gzip" -i links.txt 

Now that all 1013 segments were downloaded to my local disk, what needed to be done was stiching them all together. ffmpeg is your one stop shop for all video related things. I used it to screepcap for security demos back in the days. So, I spent the next 6 hours trying to find the right argument/codec to be used to stick all these segments together, when I stumbled upon the -i option, which basically worked like wget. You pass in the playlist file to ffmpeg and it would automatically download and stick the files on the fly.

ffmpeg -i,.mp4.csmil/index_4_av.m3u8 -t 10122 -c copy fullmovie.ts   

The User-Agent issue struck back again, and it seemed that the User-Agent plugin in ffmpeg was broken. Dreams shattered.

After a while it occured to me that, since I already have all the segments on my local disk, I could just run ffmpeg -i on the playlist file after modifying the URLs tp point to my local copy, hosted on a local webserver. That way I can escape Akamai’s user-agent bashing.

After my modification the playlist file looked like this


And runing ffmpeg with

ffmpeg -i -t 10122 -c copy fullmovie.ts

did the job. Mission Accomplished.

The issue was reported to the dev team the next day, along with possible mitigations like Player Verification, and Encrypted Streaming which Akamai provide (for additional cost). This was quite a serious bug because, the people who run this service buy International Telecast rights for movies from the Producers/Distributors and they probably won’t be very happy if they knew it was this easy to steal a movie.