Nimish Agrawal

I like to code, read books. I am from NIT Trichy.

A Common Vulnerability in Live Streams

23 Apr 2021 »

Live streams are provided by many television companies to stream live matches, channels, etc. They are also used by platforms like Twitch.

To understand the vulnerability, we need to understand how are live streams served. To serve live streams, nowadays, a commonly used protocol is HLS.

Now in HLS Protocol, the server that is hosting the stream serves a file called *.m3u8, which is like a root file that contains links to *.ts files. Now, these *.ts files contain the actual video segment. There are multiple ts file links in the m3u8 file and the m3u8 file is updated according to time, so to provide the links of the content that is to be rendered live.

A Sample m3u8 file from a streaming service

#EXTM3U
#EXT-X-VERSION:5
#EXT-X-MEDIA-SEQUENCE:13802750
#EXT-X-TARGETDURATION:11
#EXT-X-KEY:METHOD=AES-128,URI="https://adultswim-vodlive.cdn.turner.com/2fb790648f5f04290915750ab11016f4/layer3/seg.key",IV=0xe233d75539dd787e7cee46ecb6e518f1
#EXTINF:10.010,
#EXT-X-PROGRAM-DATE-TIME:2021-04-23T18:05:32.209Z
https://adultswim-vodlive.cdn.turner.com/2fb790648f5f04290915750ab11016f4/layer3/seg_00033.ts

Now in the last line, it mentions about *.ts file link, this file is then fetched by the HLS player in the browser and the video displays.

Vulnerability

The common vulnerability that occurs is, many streaming services provide a free preview of the content. They have an HLS Player on their website (a player which when fed m3u8 file, use HTML5 video player, does all the processing and display the stream, there are a lot of open-source players available in JS), with which they handle stuff like displaying streams, ads, etc. Check video-dev/hls.js/, it is used by many websites.

So in that process, they send a link to m3u8 file. Now to prevent abuse, when using the website player, when free time is finished, they send a request to the server so that when the user tries to watch the stream again, it won’t send them the m3u8 file.

Network Calls for a Streaming Service An image showing network calls of a famous live stream provider

But if we can get the m3u8 link of the stream that is fetched by the server in the beginning, and use some external HLS player to display that, not the one by the website, thus bypassing ads, free time, we can watch the stream for how long we want. Since the host’s server does not get any calls regarding the time elapsed and we are not using their player, the content can be watched without any restriction.

To do this sometime back I made a web extension Freestream, which scrapes m3u8 calls from the preview and renders it in its own HLS player.

Though now many streaming services check for Authorization Header while fetching m3u8 and ts files, in that case, it might be difficult to bypass. But for me, it was kind of fun using this to watch cricket matches for free.

P.S. - It does not work on Hotstar