The BBC's iPlayer launched for the iPhone last week, but it turned out there was a backdoor which let you download shows without DRM - a subject I mentioned in the Tech Weekly podcast and followed up with a story today.
The hack itself was pretty simple stuff and used the fact that, in order to make compatible with the iPhone, the BBC was actually streaming unrestricted MPEG4s to particular devices. Security through obscurity, I suppose you could call it.
By changing your browser's user agent so that it appeared to be an iPhone, you could find the unprotected MP4 stream and download it to your computer.
Interestingly, when I contacted one of the people who'd spotted the loophole, he said that he believed technical staff knew full well that the exploit was there : "I've heard that programmers inside the BBC are using the same technique I found to watch shows in house - it's bizarre that the people signing contracts can be so divorced from the technical staff," he told me in an email.
Anyway, the BBC have just been in touch to say they've fixed it. Or, more accurately:
"We've released a fix to prevent unrestricted downloading of streamed TV programmes on BBC iPlayer. Like other broadcasters, the security of rights-protected content online is an issue we take very seriously. It's an ongoing, constant process and one which we will continue to monitor."
They didn't say what the fix actually was, and we'll see how successful it is.
New of this loophole was an interesting development, because I think the iPlayer's come on in leaps and bounds since they decided (belatedly) to add a streaming client. It was a relief to see that the team actually dedicating themselves to a system that worked well for users - and finally managing to get the project out from under the BBC's crushing politics and the machinations of their boss Ashley Highfield, the subject of a highly critical piece I wrote last year.
We'll no doubt be following this up. Look out for a short interview with iPlayer chief Anthony Rose in next week's podcast.
