protection with opaque links may not be a best practice, but they are certainly not a security vulnerability. either the party willingly shares a link or needs to be compromised to get access to the content.
there's no remotely exploitable vulnerability. this isn't some auto increment id you could be hitting to see some content you were not intended to see. opaque links are unguessable.
> However, if the URLs are somehow leaked (e.g., guessing, reverse engineering, brute force, exported through HAR files, intercepted by proxies) ... but the DM videos are available for anyone to access with no HTTP protection
"guessing, reverse engineering and brute force" all depend on unproven or unexistent vulnerabilities. what is the point of even mentioning them?
"exported through HAR files, intercepted by proxies" these would imply that the attacker would have access to the data anyway.
I understand the likelyhood of a vulnerability and I agree with your assessment that it's unlikely a casual observer could generate a list of these URLs (a la parler leak) but disagree that this isn't broadly categorized as a vulnerability (it is, however academic or unlikely).
My question was why you felt that a security researcher publishing something they found must be because of some hatred for Elon Musk? What are the conditions where someone can identify something and share it without an ulterior motive being assumed? I understand you can't criticize right-wing darlings but is there anything else?
