This can give the attacker the URL of a private video, but they won't be able to access it. It could let them access unlisted videos, but I don't think that's as big a deal.
This is an important point, private videos should not be impacted by this as knowing the URL isn't enough to access the video. Unlisted videos are indirect-object reference by design. It's poor security, but the user is expected to understand the tradeoff (if they actually do is questionable).
This is an important point, private videos should not be impacted by this as knowing the URL isn't enough to access the video. Unlisted videos are indirect-object reference by design. It's poor security, but the user is expected to understand the tradeoff (if they actually do is questionable).