Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Media Safari Technology

Disney's Video Streaming Service Hotstar Halts Support for Safari Browser (techcrunch.com) 52

Hotstar, India's largest video streaming service with more than 300 million users, disabled support for Apple's Safari web browser last week to mitigate a security flaw that allowed unauthorized usage of its platform, TechCrunch reports, citing sources. From the report: As users began to complain about not being able to use Hotstar on Safari, the company's official support account asserted that "technical limitations" on Apple's part were the bottleneck. "These limitations have been from Safari; there is very little we can do on this," the account tweeted Friday evening. Sources at Hotstar told TechCrunch that this was not an accurate description of the event. Instead, company's engineers had identified a security hole that was being exploited by unauthorized users to access and distribute Hotstar's content -- including the premium catalog. Hotstar, which assumes the global record for most concurrent views on a live event, is operated by Star India, a media conglomerate in India that was part of 20th Century Fox that Disney acquired earlier this year.
This discussion has been archived. No new comments can be posted.

Disney's Video Streaming Service Hotstar Halts Support for Safari Browser

Comments Filter:
  • Browser security? (Score:5, Insightful)

    by Anonymous Coward on Monday June 10, 2019 @09:43AM (#58739056)

    If you're relying on browser security to secure the data on the host server, there's something fundamentally wrong with the server code.

    There should be no possible way a security hole of any kind in any browser should be able to compromise a server. This is just begging for a security breach...

    • by Junta ( 36770 ) on Monday June 10, 2019 @09:54AM (#58739130)

      Note it said 'unauthorized usage', not 'unauthorized users'.

      I presume they figured out that people figured out how to exploit safari to download and save videos, as opposed to streaming them.

      So here the device is allowed to have the content, and there's nothing much the server can do to limit what client does with the data once downloaded. Well, short of blacklisting the implementations...

      DRM has the challenge of having Alice and Bob and concerns about Chuck, except that Chuck is also Bob...

      • by guruevi ( 827432 )

        Chrome has the same options and Firefox can too with some plugins. You can make Safari look like Chrome and Firefox too and still have the same 'problems'.

        If you don't want them downloading the data, then don't provide it. You can make it a little more difficult by streaming rather than just offering an MP4 but if I can see it, I can replicate it, even digitally.

        • by Junta ( 36770 )

          You can make Safari look like Chrome and Firefox too and still have the same 'problems'.

          Are there technical details on this that suggest this is the case? I was presuming they de-authorized some DRM key used by Safari, which would be more effective than a user agent check.

          By the same token, I presume they found some deficiency with how Safari implements DRM.

          Note I have not actually poked around to see for myself, but my presumption would be that DRMed content as handled by browsers allowed to play with that content treats DRM content differently and not as susceptible to playing with extensio

          • by Falos ( 2905315 )

            I'm not sure it's "Safari doesn't support our DRM" as much as "Safari gets around our not-DRM bandaids /too/ easily"

            Youtube doesn't use DRM, it just impedes enough to stymie septembers. Chrome is deliberately stripped of addons that will enable said septembers. It's "not hard", clearly, but it merely needs to be hard enough. Get it anywhere past "easy" and you can call it a day.

            They don't care about being /secure/, they just don't want low-hanging fruit that too many of the masses are scooping. They're awar

            • by Junta ( 36770 )

              'Youtube' has some Widevine protected content. The vast majority of content on youtube is not so protected, but it does exist.

              Of course, this article isn't about Youtube, but a Disney brand, which based on their history, almost certainly employs some DRM.

      • by Freischutz ( 4776131 ) on Monday June 10, 2019 @10:32AM (#58739326)

        Note it said 'unauthorized usage', not 'unauthorized users'.

        I presume they figured out that people figured out how to exploit safari to download and save videos, as opposed to streaming them.

        So here the device is allowed to have the content, and there's nothing much the server can do to limit what client does with the data once downloaded. Well, short of blacklisting the implementations...

        DRM has the challenge of having Alice and Bob and concerns about Chuck, except that Chuck is also Bob...

        If Disney's problem is that they are still trying and failing to stop people from pirating streaming content then Disney should change its logo from that Bavarian fairytale castle to Don Quixote jousting with windmills.

      • by hey! ( 33014 ) on Monday June 10, 2019 @10:34AM (#58739344) Homepage Journal

        It's a good thing that Safari users can't spoof the user agent sent to that site then, say by going to the app settings "advanced" tab and enabling the developer menu.

        • by OzPeter ( 195038 )

          It's a good thing that Safari users can't spoof the user agent sent to that site then, say by going to the app settings "advanced" tab and enabling the developer menu.

          Which made me wonder .. would doing such a thing in the USA be considered as bypassing DRM?

        • by Junta ( 36770 )

          I frankly have not been paying attention, but there might be something stronger. For example perhaps Safari is granted a decryption key and the site de-authorized Safari's decryption key.

          While they can spoof a user agent, if it's a vendor DRM key, they would not be able to impersonate Chrome's key.

          Note this is a guess and could be wrong, but with DRM efforts in play, there are things stronger than user agent that may be acted upon.

      • DRM has the challenge of having Alice and Bob and concerns about Chuck, except that Chuck is also Bob.

        We’ve known for a long time now that draconian anti-piracy measures screw paying customers as well as the actual pirates. What we learned from this particular event is that the content owners know this and do not give a shit: if it’s a choice between letting pirates have the content or cutting off paying customers as well, they choose the latter.

        • by Junta ( 36770 )

          screw paying customers as well as the actual pirates.

          In fact, as is generally the case for anti-piracy schemes, screw the paying customers worse than non-paying. These measures will fail to *someone* and promptly the download sites will light up with illegal copies.

          Play it in whatever media playing device and software you want? Non-paying customers can do that freely, paying customers are locked in to something else. Even back when the only 'protection' was a scary 'FBI Warning' at the beginning, bootlegs would skip that.

          Every step of the way measures are

      • Comment removed based on user account deletion
    • Their service probably handled connections that claimed to be from Safari in a different way that had a security hole. They decided to block all "Safari" traffic until they fixed it.

    • by Jaime2 ( 824950 )
      Sounds like it might be possible to get free premium content by using Safari with a Chrome user agent. Let's hope no one with a shred of intelligence and malicious intent gets word of this.
    • My thought exactly.
      Other then fixing the server side problem, you just cut off a customer base to make the problem seem less intense.

      But this is the general trend that I am seeing.
      Companies are not trying to get more customers, and keeping their existing customers to be returning again. They are setting their business up that their profits come from cost savings on their existing customer base, and make their product just good enough to prevent them from switching.

      This isn't just in tech, but across all s

    • Are there many Apple customers in India? I thought they were more informed and careful abour their money on the subcontinent.

      • There are a lot of secondary market iOS devices ("recycled").

      • Are there many Apple customers in India? I thought they were more informed and careful abour their money on the subcontinent.

        I don't know currently but india is on the way up, the next china, so no doubt apple will spy the billion plus potential customers and do what it does to make them think having an iThingy means you're middle/upper class. The untouchables will be those on android soon enough XD

      • India is a really big country, with a huge population. While there is a lot of poor people, just being that they are billions of people the top 1% who can afford apple products, is still a lot of people. While the Class system isn't official anymore, it is considered common for the wealthy to show off their wealth a bit more then in the US. So I would expect there is enough Apple users to be considered a business risk.

  • Not exactly the socioeconomic target market for Apple products, so I don't expect this announcement affects many users there.
    • depends, are those 1% affluent and a huge market for luxury goods?

    • by guruevi ( 827432 )

      Apple's second-hand marketshare is huge in India though. People are buying refurb iPhone 4's for $20 there even though plenty of Android handsets are available (although they universally suck)

    • by guruevi ( 827432 )

      Also, 1% of 3B people is HUGE. That's the entire US market doubled.

      • 3B is indeed huge. Even compared to Indiaâ(TM)s population of 1.3B.

  • It's never (Score:3, Insightful)

    by Obfuscant ( 592200 ) on Monday June 10, 2019 @11:17AM (#58739566)
    When a service STOPS working on a platform, it is almost never a limitation of the platform that is to blame, it is always a deliberate decision of the provider to stop supporting customers who use that platform.

    I.e., not Apple's fault here.

  • If a browser bug can let me watch stuff for free, I'd sure like to know what it is. And if it will work on the upcoming Disney+ service.

To thine own self be true. (If not that, at least make some money.)

Working...