Exploiting Music Streaming with JavaScript

Presented at DEF CON 21 (2013), Aug. 4, 2013, 10 a.m. (45 minutes).

As the music industry transitioned from physical to digital distribution, they have forgotten the one thing they hold most dear to them: Their DRM. Many browser-based music streaming services use no DRM to secure their music. By doing this, they leave their library of high quality songs free for the picking.

This presentation details the use of JavaScript to circumvent the security of several browser-based music streaming services. By reverse engineering the code for several music players, it is possible to mimic the music player to download songs rather than stream them. Many services that are too difficult or obfuscated to reverse engineer can still be exploited by intercepting streaming traffic and making identical requests to downloads songs. This presentation covers the basics of music streaming, demonstrates browser-based traffic logging to identify and download music files, and describes the use of JavaScript to mimic the legitimate player in order to bypass security. The end result is a Google-Chrome extension which will allow users to download songs as they stream them.


Presenters:

Links:

Similar Presentations: