The FLAW in AMAZON MUSIC…
In the following, let’s discuss flaws in AMaZoN’s MUSIC service where there is possibility of bypassing their 2 major security implementations.
I. Getting their high quality encrypted content without any subscription.
II. Decrypting the encrypted content.
What happens when we click play button?
Before going through, ASIN is an ID used by amazon for their products. So every product has an ASIN. Now we are logged into https://music.amazon.com with normal account which we can create at any moment.
Main API endpoint of NorthAmerica NA is “https://music.amazon.com/NA/api/dmls/”
We tried to play a track now,
A POST request is sent to API endpoint with payload containing the following key-value pairs
“identifier” : ASIN, “contentProtectionList” : “TRACK_PSSH”, “musicDashVersionList” : “SIREN_KATANA” and etc.
We get a dash manifest which is of musicDashVersion “SIREN_KATANA”as a response. So what do these terms mean?
The DASH manifest file, called the Media Presentation Description, is an XML file that identifies the various content components and the location of all alternative streams.
In dash we get content encrypted in CENC with Playready and Widevine, you can know about cenc and pssh implementations from here.
With TRACK_PSSH, we’re requesting to send a dash manifest which contains PSSH header of individual tracks which need license every time.
Let’s see another variant amazon using, “GROUP_PSSH” in which a group of tracks are encrypted under a master key and there is no need for license every time, feature of group licensing. This simply means if one can get master key and cache it, one can get tracks from amazon music which are of higher quality with a normal account.
So from above, same content’s license can be obtained in 2 different ways in which TRACK_PSSH require new request for license everytime but GROUP_PSSH only one time.
In highlighted content from above picture, you can see GROUP LICENSING, also called as ENTITLEMENT, where group’s ID is KATANA_CONTENT:US and has a master key ID.
Now we finally got higher tier quality with normal account, which is worthless if we can’t bypass their protection.
We will now be focusing on GROUP_PSSH implementation and getting master key, so that we can eliminate need for requesting license everytime.
“DrmType” : “WIDEVINE_ENTITLEMENT” !!!
So far we’ve seen content retrieval, but for playback of encrypted media it will go under API called EncryptedMediaExtension [EME], the following license request will occur on basis of EME in browser.
Again it’s initiated to send different request body/payload but to same API endpoint with “DrmType”:”WIDEVINE”, now that we have already discussed GROUP LICENSING, DrmType will be “WIDEVINE_ENTITLEMENT”.
After watching discussions at https://news.ycombinator.com/, I got to know about exploits on widevine and powerful module(s) on it written in python. Using these people can successfully make license requests to servers and obtain decryption keys.
Part “II. Decrypting the encrypted content” to be written…