The independent researcher Farzan Karimi has created for the first time years ago that the reluctance in the planning interfaces of applications, or bees, have exposed streaming content in unauthorized access. In 2020 he revealed a series of these defects in Vimeo who could have allowed him to access about 2,000 internal corporate meetings together with other types of live streaming. The company quickly solved the problem at the time, but the discovery left Karimi with concerns that similar problems could be lurking in other platforms.
Years later, he realized that by perfecting a technique to map the way the bees recovered the data and interact, he could look for other vulnerable platforms. In Defcon, Karimi presents results on current exhibitions in a traditional sports streaming platform: it is not appointing the site because the problems are not yet solved and releasing a tool to help others identify the problem in additional sites.
“For a company to all hands or other sensitive meetings, there may be internal key information during sharing: CEO or other managers who speak of layoffs or sensitive intellectual properties,” Karimi said to Wired in view of his speech on the conference. “You can see a bad model emerge in the ease with which it is possible to evade authentication to access flows, but this emission class has previously been rejected as requiring a deep knowledge of a specific company to be identified.”
APIs are services that recover and return data to anyone who requests them. Karimi provides the example that you can search for the film Fight Club On a streaming platform and the flow of the film could return with information on the length of the film, trailers, the actors of the film and other metadata. Multiple bees work together to assemble all this information with each recovery of certain types of data. Likewise, if you are looking for Brad Pitt, a set of API will interact to deliver Fight Club Together with other films in which he starred as Slut AND Seven. Some of these bees are designed to request proof of authentication before returning the results, but if a system has not been examined in depth, it is common that other bees blindly return the data without requesting the test of the authorization on the assumption that only an authenticated applicant will be able to send queries.
“Often there are practically four, five, a number of bees that have all these metadata and if you know how to trace through them, you can unlock the contents paid for free,” says Karimi. “It is a model of” security through darkness “in which they would never think that someone would be able to manually connect the points between these bees. The automation that I am introducing, however, helps to find these defects of authorization quickly on a large scale.”
Karimi underlines that the best streaming services are largely blocked and have corrected these wrong configurations of the API long ago or have avoided them from the beginning. But he underlines that more utilitarian platforms for corporate streaming and other live events, including cameras always active in sports arenas and other places that should be accessible only in certain moments-they are vulnerable and exposing videos that are believed to be protected.