Hello,
I developed a Wordpress plugin to allow Stream signed URLs working with WP. All it’s working fine but during testing the plugin my developer and myself found an important bug on how your STREAM works.
As you can see from the attachment, I allowed just 1 “origin domain” in the console. So Stream should only allow streaming of that video from the domain: hedoniac.com.
For the sake of testing, I allowed the buffer to something very long like 7 days: 604800 seconds
Please see the page where my video is embedded:
https://hedoniac.com/cftesting/
it’s signed and working correctly with our Wordpress Signed URL plugin!
BUT, if you grab the token from chrome dev. tools as in here:
and you add “watch.cloudflarestream.com/” in front of it… then you paste the resulting URL in epic or any incognito browser… voilà!!!
The video plays perfectly… which shouldn’t as cfstream.com it’s another domain and only hedoniac.com should be allowed to play it!!!
This is clearly a severe bug on your STREAM service. Such security flaw could potentially allow any person to insert that URL into a sowtware like JDownloader or any downloader and download the video.
To replicate the BUG:
a) go https://hedoniac.com/cftesting/ (or any URL where there is a CF video and you activated “allowed origin”)
b) go on chrome dev. tools and grab the token, it usually starts with “videodelivery.net…”
c) paste it after the domain watch.cfstream.com/ composing the final URL
d) paste the final URL in any incognito browser you want…
e) you will see that the video is played correctly and it should as it’s not the allowed origin domain you set
Please solve this bug asap as any premium website wanting to protect their videos playing origins is jeopardised!
Thanks a lot
Kind regards
