Why is this noteworthy? You can do the same thing with Android messages... Hopefully this is not another Twitter attack. This isn't a "vulnerability" either.
The behaviour everyone likely expects, in twitter & android, is that if you send a video to one person directly, then only that one specific person be able to access it.
It's different if the UI makes clear that you're uploading an image to a website where it will be publicly available, but random people "probably" won't find it, and you can share the link with someone.
Technically I agree - it's just one of those things that quite a few platforms do... It's similar to the eufy stuff circulated about recently. User uploads XYZ, they expect it to be "private" - platform devs decide private == obfuscated via a super long file name (a bit layman, sorry) in some kind of object storage.
While there's definitely a method of securing the access to the uploaded content to those who should have access, it's often not implemented that way since your uploaded content would be statistically improbable to "guess" and even more improbable to tie it back to you.
I came off a little direct, straight up saying it was not a vulnerability without context. While I still stand by it not being a vuln from a sec perspective, it's definitely not great.
Part of the issue with Eufy is that they uploaded people’s content even when cloud backup was off. They also had the video stream unencrypted. It accepts an authentication token but never actually enforces it.
You can also just do this with Circle posts, the permalink to the video is always just going to be avaliable, the client/server just prevents unauthorised people from retrieving content that displays that. While it wouldn't be too much to prevent twitter from protecting content, there are far greater security concerns if people are access the intentionally restricted content
I sort of explained my thought process above but I suspect they've done it this way for "cdn things"
It's not great, there's certainly a way to secure it, but like many other solutions - stuff it in a storage bucket with a "random" url is "good enough" in the eyes of the platform.
protection with opaque links may not be a best practice, but they are certainly not a security vulnerability. either the party willingly shares a link or needs to be compromised to get access to the content.
there's no remotely exploitable vulnerability. this isn't some auto increment id you could be hitting to see some content you were not intended to see. opaque links are unguessable.
> However, if the URLs are somehow leaked (e.g., guessing, reverse engineering, brute force, exported through HAR files, intercepted by proxies) ... but the DM videos are available for anyone to access with no HTTP protection
"guessing, reverse engineering and brute force" all depend on unproven or unexistent vulnerabilities. what is the point of even mentioning them?
"exported through HAR files, intercepted by proxies" these would imply that the attacker would have access to the data anyway.
I understand the likelyhood of a vulnerability and I agree with your assessment that it's unlikely a casual observer could generate a list of these URLs (a la parler leak) but disagree that this isn't broadly categorized as a vulnerability (it is, however academic or unlikely).
My question was why you felt that a security researcher publishing something they found must be because of some hatred for Elon Musk? What are the conditions where someone can identify something and share it without an ulterior motive being assumed? I understand you can't criticize right-wing darlings but is there anything else?
