logoalt Hacker News

ryankrage77yesterday at 8:03 PM1 replyview on HN

This can give the attacker the URL of a private video, but they won't be able to access it. It could let them access unlisted videos, but I don't think that's as big a deal.


Replies

8organicbitsyesterday at 11:48 PM

This is an important point, private videos should not be impacted by this as knowing the URL isn't enough to access the video. Unlisted videos are indirect-object reference by design. It's poor security, but the user is expected to understand the tradeoff (if they actually do is questionable).