Hey folks 🤠,
This blog is on hacking/testing the hls streams for some bounty and fun. If you ever notice an .M3U8 extension in your network traffic and if the content is not public then this is the blog for you ! give it a try.
What are hls streams ?
HLS streams are designed to break down a large video or other file into small chunks and transfer it to users as they need them to view it as a movie or video, I mean it’s better to fetch a few small video chunks instead of fetching the whole single file to watch some parts of that video, it saves time and it’s fast too, it’s my understanding of hls streams.
Working of hls streams :
Now it’s complex to get all small chunks one by one in proper order , so the hls streams uses files named M3U8, this file contains URLs of this small chunks, so a user can fetch the .m3u8 file and the player will fetch the small chunks from the URLs which are derived from the .m3u8 file
What’s wrong ?
Now think there’s a paid platform which uses this hls streams , now what If you just got their m3u8 files , won’t it let you download all the chunks and let you pirate it and see the movie/video without a subscription at anytime? We can literally share it to anyone 😉
The current defence = Encryption :
Now it’s really basic that it will need some kind of security, for that a secret key is embedded into the m3u8 file which is used to encrypt this small chunks so no one can use it, but it’s obvious that anyone who can access the . m3u8 file can extract that secret key from that file and decrypt the chunks to pirate those paid video files.
Still there are ways that we can make hls streams secure, by adding session while fetching small chunks ,so no other user can fetch it, , Authorization of index or m3u8 file, Storing the key in encrypted format like apple is doing on their platforms😉
Now for testing this kind of hls streams all, we have to do is fetch .m3u8 file, and for that we can use tools and extension like m3u8 finder , m3u8 downloader etc. once we have that file we can , put it in downloader and it will download all the chunks and merge it for us.
Testing Encrypted Hls Streams
Now what if the stream is encrypted, then we can check the m3u8 file, it will contain a line with hls.keys, just check it , there’s so high chances that we can get the decryption key for it, Its really very high.
We can also use ffmpeg to directly fetch the video from a index file or .m3u8 file
A Failed attempt of testing hls streams on a huge organization :
As I started to test a OTT platform from [redacted domain] named [redacted TV], i found that there are m3u8 files which contains links for small chunks of videos , now there is no Authorization to download those small video chunks so it’s a clean security concern, but the things which is stopping attackers from pirating the content is, that the sample aes encryption, we will need a key to decrypt this hls streams, but as I can see in the index file, it says AAA://123.AA [Changed due to security concerns] like this, so I cannot get the description key, so even if i have the whole video file I cannot open it without the key, so it’s totally safe.
Then after I started to test the same app on different platforms and found that, hls stream is getting downloaded in .frag files in a xx.xxxx directory, and it’s playing offline via a inbuilt player, so there should be a key inside somewhere which is used to decrypt those downloaded chunk files, I tried my best and download a whole episode but was not able to make it play at the end.
If there’s anything which could be added or edited to this just ping me on my twitter : __Sam0_0
If you liked the blog you can follow me on twitter : __Sam0_0
Thanks.