You can bypass Cloudflare Stream by converting m3u8 & TS to false JPG ending

I have tried to report this to Cloudflare via their Abuse form but they have not done anything against it nor have they even replied to me.

This was the same issue months ago when we reported that people could bypass Cloudflare .MP4 stream rules by converting the files to .m3u8 & .TS files (Segemented files) as Cloudflare did not detect small 5 seconds streams as “Large video content”.

After we reported it in the Cloudflare community they finally saw it and patched it.

Last few months however a new method has came up regarding this.

People have now started converted their media files to .m3u8 and instead of .TS files, It’s .JPG files.

This way allows them to bypass the Cloudflare stream policy once again and using the service for free and hiding their orgin of content by a protected Cloudflare IP.

We are reporting this as we are whitehat.

Keywords for Google and other search engines
m3u8, ts, jpg, m3u8 jpg, m3u8 Cloudflare bypass, Cloudflare stream free jpg, jpg m3u8 hack Cloudflare, Cloudflare jpg stream m3u8

Cloudflare does not care if your site has a 2 minute video that is streamed a few times a month. Nor does Cloudflare care if you chop it into 5 second pieces first.

Video steaming is banned because it uses disproportionate amounts of data (which Cloudflare pays for) compared to HTML. If your site has thousands of visitors a day and is primarily about video steaming, then yes, Cloudflare will take action.

But Cloudflare will also take action if you primarily serve large binary files. It’s the amount of data that matters, not the content type.

1 Like

Did you read what I was actually reporting as an abuse bypass to Cloudflare or did you just have something on copy paste for “Why can’t I stream with Cloudflare” (Which isn’t even related to this abuse report above)

1 Like

I’m sorry if I misunderstood you. Could you please give an example of this abuse?

That message was 100% original :slightly_smiling_face:

2 Likes

For example as you mentioned “Large static file”.
This m3u8 jpg abuse method (Which I have explained in detail via Cloudflare abuse report system) renders only 1x1 pixel of a white jpg
Upon viewing this it decodes and renders the full hijacked .TS file instead.
Cloudflare sees this as a 0.1KB “JPG” being streamed from their datacenter.

We’re just volunteers, no one here has access to abuse reports.

That sounds weird. As far as I’m aware, Cloudflare simply counts the number of bytes being sent to client. So a 1MB file is counted as 1MB no matter the content.

Are you able to share a link to a site taking advantage of this?

1 Like

I’m aware,
I know that Cloudflare staff does read the community forum as well since this is how we got the first ticket to get looked into.

In the abuse report system I have reported multiple sites & links that uses this method for them to have fun with :+1:

I think it’s similar to steganography, where attackers merge data within another file, so they can deliver an image that looks like whatever. Then the “client” reads the image and decodes it to be the streaming information.

So while observing the type of data transmitted, Cloudflare sees jpeg/web content instead of video. At least that’s how I understand the issue.

I see. Thanks for clarifying and I apologize for misunderstanding. If it is indeed possible to spoof the amount of data transferred, then that should definitely be looked into.

Just to make sure you know, I’d like to mention that the Trust & Safety team are the only ones who can access abuse reports - “regular” Cloudflare employees aren’t able to help once a report has been submitted. Your report will be reviewed and the team will take action if they deem it necessary, but you may not receive any other response than the confirmation email.

If you’re serious about streaming video this doesn’t scale. I wouldn’t want to stream my 4000 videos this way.

I’m pretty sure there are some small users abusing this, but Cloudflare is so big that it won’t be noticed. Implementing measures to prevent this is probably going to be more work than catching a abuser that gets big here and there.

So yeah, your bypass is smart, but I bet Cloudflare doesn’t care a lot if small users do this.