On the list of things Netflix probably doesn’t want to deal with, we’d say that “a way to download an offline copy of any show offered on its service” is probably number one.

According to Wired(Opens in a new window), two security researchers have found a vulnerability in Google’s Chrome browser related to how the browser treats media streaming. Specifically, the issue centers around how Chrome’s Wildvine—its digital rights management system—handles the exchange between the browser and streaming services’ content protection systems. The bug, allegedly a simple one to execute, allows a person to obtain a copy of a stream right after it’s decrypted but before it starts streaming in your browser. Hello, free content.

The researchers—David Livshits and Alexandra Mikityuk—demonstrate the bug in the video below. They aren’t making public the specific details of the vulnerability just yet, as they reported the issue to Google on May 24 and are giving the company 90 days to patch the issue.

Google told Wired that it has been aware of the vulnerability for some time now. The key issue is that it’s a Chromium problem—not just a Chrome problem. Google could patch the vulnerability by redesigning how the browser treats decrypted content, which could involve moving the decryption process to a secure environment so other tools couldn’t be used to hijack the decrypted stream as it was passing to the browser’s player. However, there wouldn’t be a way to stop someone from reversing Google’s fix within the Chromium code and releasing a browser variant that worked just as it did before, vulnerability and all.

“Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths,” the spokesperson said.