Misconfigurations that plague companies’ streaming platforms may expose sensitive data

0 0 2 minutes read

Misconfigurations that plague companies’ streaming platforms may expose sensitive data

Top streaming services Like Netflix and Disney+, there have been ongoing investments over the years to lock their content. Whenever possible, they will prevent users from accessing videos without subscribing to or watching regional barrier content. However, new findings presented at the Defcon security conference in Las Vegas today suggest that streaming platforms for things like in-house corporate broadcasts and live sports can contain basic design flaws that allow anyone to access a lot of content without logging in.

Independent researcher Farzan Karimi first realized a few years ago that misconfigurations in the application programming interface or API expose streaming content to unauthorized access. In 2020, he revealed a set of such flaws to Vimeo, which could allow him to visit nearly 2,000 internal corporate meetings along with other types of live events. The company quickly resolved the issue at the time, but found it worried Karimi that it might lurk on other platforms.

Years later, he realized that by perfecting a technology for mapping how APIs retrieve data and interactions, he could look for other vulnerable platforms. At Defcon, Karimi is currently exposed to a mainstream sports streaming platform (he did not name the site because the problem has not been resolved, so it was not named, and released a tool to help other sites in other sites.

“For all hands or other sensitive meetings of a company, critical internal information may be shared – paradise or other executives talking about layoffs or sensitive intellectual property,” Carrimi told Wired before the conference speech. “You can see a bad pattern appearing in ways that you can easily circumvent authentication to access the stream, but such issues have been dismissed previously because in-depth knowledge of a particular business is required to identify.”

API is a service that fetches data and returns data to anyone. Karimi gives examples that you can search for movies Fighting Club On streaming platforms, the stream of the movie may bring back information about the length of the movie, trailer, actors in the movie, and other metadata. Multiple APIs work together to assemble all this information with each fetching some type of data. Similarly, if you search for Brad Pitt, a set of APIs interact to deliver Fighting Club Starring with other movies Troy and seven. Some of these APIs are designed to perform proof of authentication before returning the result, but if the system has not reviewed it deeply, other APIs often blindly return data without having to have only proof of authorization, assuming that only the authenticated requester can send queries.

“Often, there are basically four, five, and there are a certain number of APIs with all this metadata, and if you know how to track them, you can unlock paid content for free,” Karimi said. “It’s a kind of security through obscure models that they never think someone can manually connect the points between these APIs. The automation I introduced, however, helps to quickly find these authorization flaws.”

Karimi stressed that top streaming services are largely locked down and have corrected such API misconfigurations long ago or avoided them from the beginning. But he stressed that the more utilitarian platform is used for corporate streaming and other live events, including always-on cameras in sports arenas and other places that can only be accessed at some point – which can be vulnerable and considered protected video.