Given how horribly all major companies, MS most certainly included, confuse authentication vs. authorization, this is almost certainly able to be paired with a 'vulnerable' (all) endpoint to retrieve/post/update player information.
The horizontal pivot from DRM/crypto-managed Identity to a session token, an unassumingly-kosher redirect, or just omitting the "AUTHENTICATION" header itself is a trivial exercise for the common script kiddie.
This is how exploit chains get a foot-hold, and "secure" accounts get compromised like it was 2010 again.
And it paints an even bigger target on domestic Windows machines used
for media content.
Who wants to "steal" their _own_ keys?
Microsoft's broken DRM scheme creates objects of value which it then
tries to store on the client's machine deliberately beyond the owners
control and security management. It is adversarial to the user. This
is clearly a no-win situation... hence the snarky sign-off about
vendors "raising the bar", basically saying; Good luck with that! It
really seems quite unhinged.
So now there is collateral damage:
- A motive to hack Windows machines to steal content keys.
- A misuse of "identities" through a market in stolen keys
- Pivots (as parent says) to other malware vectors
So, predictably, because of DRM, Microsoft Windows is now an even more
dangerous and insecure system. Why do people persist chasing this
unnecessary, pathologically involuted technological misadventure?
Surely "controlling and monitoring peoples content" is not a hill
worth dying on?
The horizontal pivot from DRM/crypto-managed Identity to a session token, an unassumingly-kosher redirect, or just omitting the "AUTHENTICATION" header itself is a trivial exercise for the common script kiddie.
This is how exploit chains get a foot-hold, and "secure" accounts get compromised like it was 2010 again.