IMPORTANT for STREAM service: pay attention, security bug found!


I developed a Wordpress plugin to allow Stream signed URLs working with WP. All it’s working fine but during testing the plugin my developer and myself found an important bug on how your STREAM works.

As you can see from the attachment, I allowed just 1 “origin domain” in the console. So Stream should only allow streaming of that video from the domain:

For the sake of testing, I allowed the buffer to something very long like 7 days: 604800 seconds

Please see the page where my video is embedded:

it’s signed and working correctly with our Wordpress Signed URL plugin!

BUT, if you grab the token from chrome dev. tools as in here:

and you add “” in front of it… then you paste the resulting URL in epic or any incognito browser… voilà!!!

The video plays perfectly… which shouldn’t as it’s another domain and only should be allowed to play it!!!

This is clearly a severe bug on your STREAM service. Such security flaw could potentially allow any person to insert that URL into a sowtware like JDownloader or any downloader and download the video.

To replicate the BUG:
a) go (or any URL where there is a CF video and you activated “allowed origin”)
b) go on chrome dev. tools and grab the token, it usually starts with “…”
c) paste it after the domain composing the final URL
d) paste the final URL in any incognito browser you want…
e) you will see that the video is played correctly and it should as it’s not the allowed origin domain you set

Please solve this bug asap as any premium website wanting to protect their videos playing origins is jeopardised!

Thanks a lot
Kind regards

1 Like

Have you contacted Support about this?
Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

1 Like

Hello Sdayman,

yes I did, they said they are working on it (5 days are passed by).
But this is kind of a big deal in terms of security for stream, so I wanted the community to be aware and I surely will mark this as solved or similar once the solution will be there :slight_smile:

Perhaps a better channel to bring this vulnerability to Cloudflare’s attention would be:


Oh thanks floripare. Didn’t know about that channel!
What is the clean way to repost it on that channel? or move it, copy it or in someway refer to it in there?

Sorry, I wouldn’t know, as I have never done it myself.