athrowaway-2020
commented
3 years ago This should not be considered a "bug" or "vulnerability" if the private key was extracted from the CDM library's white-box mathematically. It just is an inherent property of all forms of obfuscation, including software white-box crypto, that they can be reversed, it's not a vulnerability. This would be a vulnerability if the CDM was programmed incorrectly, and as a result of an actual "bug", made the process of extracting the private key easier, or flat out spit out in the clear, for example. But as far as what can be inferred from the repo's owner's own words, the private key was simply reverse engineered out of the white-box.
Also, if there in fact was a vulnerability, this should preferably be reported to Google, and more specifically the Widevine team, since they are responsible for developing the Widevine CDM, not Netflix.
Why go for anonymous glory when you can derive value from your work?
https://bugcrowd.com/netflix
Note in particular:
Device & Content Authorization Targets Overview
Methods of subverting Netflix content authorization systems to achieve video playback on unauthorized devices are in scope. Examples include circumventing the content authorization systems, obtaining private keys used for authorization, etc. Only playback of full content is in scope—supplemental content such as trailers, images etc. is not in scope.
Private keys used for video content decryption are in scope. Reports must contain private key material which enables decryption of video streams at the time reported. Groups of keys discovered at the same time (e.g. leaked together) or using the same methods (shared vulnerability across multiple devices) will only qualify for a single reward. Submissions related to screenshots or screen recording are not in scope. Submissions must include actual private key material.
Reports must contain specific, clearly articulated and actionable details relating to how the keys were discovered or extracted to qualify for a reward.