Major privacy issue in videos

I think I have found a major privacy issue. On my website, I have specified that unregistered users should not be able to view user videos. However, by entering the video URL, the video can be viewed without being logged in. The video URL is: https://xxxxxxxxx.com/s/bx_videos_media_resized/dgfdshssf.mp4. This needs to be fixed immediately.

  • 887
  • More
Replies (7)
    • Where did you 'specify' this?

      To fix your problem.

      Studio->Pages->Videos->View Video->Settings

      Set visibility to the memberships you want.

      • oh, a direct link? There is no way to stop a direct link. This has nothing to do with UNA, but your web server.

        A web server would have no way of knowing whether you're logged into UNA.

        • It's a big problem that UNA should fix. I will block it from my server.

          • I have solved the problem by adding the following code at the beginning of the storage.php file, in case anyone wants to use it.

            // Verificar que el referer sea de tu dominio
            if (isset($_SERVER['HTTP_REFERER'])) {
                $referer = $_SERVER['HTTP_REFERER'];
                if (strpos($referer, 'https://xxxxxxxxxxxxxxx.com') !== 0) {
                    // Si el referer no es de tu dominio, redirige a la página de 'not found'
                    header('Location: https://xxxxxxxxxxxxxxxxx.com/notfound');
                    exit;
                }
            } else {
                // Si no hay referer, redirige a la página de 'not found'
                header('Location: https://xxxxxxxxxxxxxxxx.com/notfound');
                exit;
            }
            
            • Hello @Antonio !

              Thnx, perhaps it would be useful. Your original request means that someone can inspect the closed ode and pass the file URL to others. But the name of every file is auto-generated and it can't be calculated. So the non-public files are in the good zone of security.

              • Be advised, some JavaScript fetch methods do not properly use the headers, and even old school 2011-2013 apache methods have been known to fail.

                I think you are over thinking, because, in order to get that URL, a member would have already needed to be logged in.

                You are actually stopping hot-linking with that code. Firefox is notorious for breaking those rules. And failing in many instances of such referrer code being checked.

                Plus, anyone wanting to actually get that video, who has any smarts, can set the referrer header themselves. I tried to explain that the server itself doesn't know if your logged into UNA. I personally can think of a dozen ways around that check.

                Personally, how I tackled the situation of subscriber content on my site (paid for videos, photos, etc) was a proprietary proxy that only streams or sends the image if subscribed to the content. Which, is fool proof.

                Anyhow, what ever you feel is best for you, is all that matters. 😊

                • I understand, but my website is private, so that video should perhaps only be seen by selected members, or by friends, or just by me. That is, the privacy options set by UNA. For example, if a friend from a profile shares that URL, the entire internet would have access to a private video. I think this is very serious. I understand that your way is better, and I hope you share it, but this is something UNA should fix.

                  Login or Join to comment.