Close Menu
Technology Mag

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Gear News of the Week: iPhone 17 May Be a Month Away, and Sonos to Raise Prices

    August 9, 2025

    I went camping in a heat dome, and these five gadgets saved my vacation

    August 9, 2025

    Aura’s Aspen impressive digital frame is the most affordable it’s been

    August 9, 2025
    Facebook X (Twitter) Instagram
    Subscribe
    Technology Mag
    Facebook X (Twitter) Instagram YouTube
    • Home
    • News
    • Business
    • Games
    • Gear
    • Reviews
    • Science
    • Security
    • Trending
    • Press Release
    Technology Mag
    Home » A Misconfiguration That Haunts Corporate Streaming Platforms Could Expose Sensitive Data
    Security

    A Misconfiguration That Haunts Corporate Streaming Platforms Could Expose Sensitive Data

    News RoomBy News RoomAugust 9, 20253 Mins Read
    Facebook Twitter Pinterest LinkedIn Reddit WhatsApp Email

    Top streaming services like Netflix and Disney+ have made sustained investments over the years to lock their content down. Whenever they can, they prevent users from accessing videos without a subscription or watching region-blocked content. New findings presented today at the Defcon security conference in Las Vegas, though, indicate that streaming platforms used for things like internal corporate broadcasts and sports livestreams can contain basic design flaws that allow anyone to access a vast swath of content without logging in.

    Independent researcher Farzan Karimi first realized years ago that misconfigurations in application programming interfaces, or APIs, exposed streaming content to unauthorized access. In 2020 he disclosed a set of such flaws to Vimeo that could have allowed him to access close to 2,000 internal company meetings along with other types of livestreams. The company quickly fixed the issue at the time, but the finding left Karimi with concerns that similar problems could be lurking in other platforms.

    Years later, he realized that by refining a technique for mapping how APIs retrieve data and interact, he could look for other vulnerable platforms. At Defcon, Karimi is presenting findings about current exposures in one mainstream sports streaming platform—he is not naming the site because the issues are not yet resolved—and releasing a tool to help others identify the problem in additional sites.

    “For a company all hands or other sensitive meeting, there might be key internal information being shared—CEOs or other executives talking about layoffs or sensitive intellectual property,” Karimi told WIRED ahead of his conference talk. “You can see a bad pattern emerge in how easily you can circumvent authentication to access streams, but this class of issue was previously dismissed as requiring deep knowledge of a given business to identify.”

    APIs are services that fetch and return data to whoever requests it. Karimi gives the example that you can search for the movie Fight Club on a streaming platform, and the stream for the movie may come back with information about the length of the movie, trailers, actors in the movie, and other metadata. Multiple APIs work together to assemble all of this information with each fetching certain types of data. Similarly, if you search for Brad Pitt, a set of APIs will interact to deliver Fight Club along with other movies he’s starred in like Troy and Seven. Some of these APIs are designed to require proof of authentication before they will return results, but if a system hasn’t been scrutinized deeply, it is common for other APIs to blindly return data without requiring proof of authorization on the assumption that only an authenticated requestor will be in a position to send queries.

    “Often there are basically four, five, some number of APIs that have all this metadata, and if you know how to trace through them, you can unlock paywalled content for free,” Karimi says. “It’s a ‘security through obscurity’ model where they would never think that someone would be able to manually connect the dots between these APIs. The automation I’m introducing, though, helps find these authorization flaws quickly at scale.”

    Karimi emphasizes that top streaming services are largely locked down and either corrected such API misconfigurations long ago or avoided them from the start. But he emphasizes that more utilitarian platforms for corporate streaming and other live events—including always-on cameras in sports arenas and other venues that are meant to only be accessible at certain times—are likely vulnerable and exposing video that is thought to be protected.

    Share. Facebook Twitter Pinterest LinkedIn WhatsApp Reddit Email
    Previous ArticleI’m Attending 7 Festivals This Year. This Is My Must-Have Gear
    Next Article The Vibes-Based Pricing of ‘Pro’ AI Software

    Related Posts

    Age Verification Laws Send VPN Use Soaring—and Threaten the Open Internet

    August 8, 2025

    It Looks Like a School Bathroom Smoke Detector. A Teen Hacker Showed It Could Be an Audio Bug

    August 8, 2025

    Thieves Target Tennessee National Guard Facilities, Stealing Night Vision Goggles and More

    August 8, 2025

    Encryption Made for Police and Military Radios May Be Easily Cracked

    August 8, 2025

    A Single Poisoned Document Could Leak ‘Secret’ Data Via ChatGPT

    August 7, 2025

    The US Military Is Raking in Millions From On-Base Slot Machines

    August 6, 2025
    Our Picks

    I went camping in a heat dome, and these five gadgets saved my vacation

    August 9, 2025

    Aura’s Aspen impressive digital frame is the most affordable it’s been

    August 9, 2025

    What’s a smut peddler to do these days?

    August 9, 2025

    See 6 Planets Align in the Night Sky This August

    August 9, 2025
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Gear

    The Vibes-Based Pricing of ‘Pro’ AI Software

    By News RoomAugust 9, 2025

    Lauren Goode: All right. Actually not. But last fall I went to an event for…

    A Misconfiguration That Haunts Corporate Streaming Platforms Could Expose Sensitive Data

    August 9, 2025

    I’m Attending 7 Festivals This Year. This Is My Must-Have Gear

    August 9, 2025

    Age Verification Laws Send VPN Use Soaring—and Threaten the Open Internet

    August 8, 2025
    Facebook X (Twitter) Instagram Pinterest
    • Privacy Policy
    • Terms of use
    • Advertise
    • Contact
    © 2025 Technology Mag. All Rights Reserved.

    Type above and press Enter to search. Press Esc to cancel.