Exposed: Security Flaws in Corporate Streaming Platforms
Major streaming services like Netflix and Disney+ have invested heavily in securing their content, ensuring that users can't access it without subscriptions or bypassing regional restrictions. However, recent revelations at the Defcon security conference in Las Vegas have uncovered design flaws in corporate streaming platforms, potentially allowing unauthorized access to content.
Farzan Karimi, an independent researcher, discovered these security weaknesses years ago. In 2020, he reported a vulnerability to Vimeo which, if exploited, could have exposed around 2,000 internal company meetings. Although Vimeo addressed the issue, it raised concerns about similar vulnerabilities existing across other platforms.
Karimi further explored these threats and found that by mapping Application Programming Interfaces (APIs), he could pinpoint other at-risk platforms. At Defcon, he discussed these vulnerabilities in a sports streaming service, choosing not to name it until resolved, and introduced a tool to identify similar problems across different services.
Highlighting the risks involved, Karimi explained, "For sensitive corporate meetings, CEOs or executives might discuss layoffs or share proprietary information," which could be accessed due to these lapses in authentication.
APIs function to retrieve and send data based on user requests. Karimi explained that some APIs, when not rigorously examined, might return data without proper authentication, wrongly assuming only authenticated users will request it.
Karimi pointed out a significant security oversight, "Often there are multiple APIs housing all this metadata. Tracing them can unlock premium content for free." He described this as "security through obscurity," which assumes no one would connect the dots between APIs without automation, which his new tool now provides.
While top streaming services have addressed or avoided these issues, more utilitarian platforms, especially those streaming corporate events or live sports, might still be vulnerable. These platforms could inadvertently expose supposed secure content.
