Top streaming services like Netflix and Disney+ have invested heavily over the years to secure their content, preventing access without a subscription or viewing of region-restricted content. However, new discoveries presented at the Defcon security conference in Las Vegas reveal that streaming platforms used for corporate broadcasts and sports livestreams have basic flaws that allow access to content without logging in.
Independent researcher Farzan Karimi discovered years ago that API misconfigurations exposed streaming content to unauthorized access. In 2020, he reported such flaws to Vimeo, which could have allowed access to about 2,000 internal company meetings and other livestreams. Although Vimeo quickly resolved the issue, Karimi was concerned similar problems existed on other platforms.
Continuing his research, Karimi refined his technique for mapping API interactions to identify more vulnerable platforms. At Defcon, he is presenting findings on exposures in a mainstream sports streaming platform, though not naming the site as the issues are unresolved, and is releasing a tool to help detect similar problems on other sites.
“For a company all-hands or sensitive meeting, key internal information might be shared, like executives discussing layoffs or intellectual property,” Karimi told WIRED. “You can see a bad pattern of easily circumventing authentication to access streams, but this was previously dismissed as needing deep business knowledge to find.”
APIs fetch and return data upon request. For example, when searching for the movie Fight Club on a streaming platform, the API retrieves data about its length, trailers, actors, and metadata. Several APIs work together to gather this information. Similarly, searching for Brad Pitt triggers a set of APIs to deliver Fight Club and other movies he’s in, like Troy and Seven. Some APIs require authentication proof before returning results, but often other APIs provide data without authorization on the assumption that only authenticated requesters send queries.
“Often there are several APIs with all this metadata, and know-how to trace them allows unlocking of paywalled content for free,” Karimi says. “It’s ‘security through obscurity,’ assuming no one connects the dots between APIs. My automation helps find these flaws at scale.”
Karimi notes that major streaming services are largely secure, having corrected such issues or never having them. However, utilitarian platforms for corporate streaming and live events, such as always-on cameras in sports arenas, are likely vulnerable and exposing supposedly protected video.