2022-12-12: Twitter DM Videos Are Accessible to Unauthenticated Users

 

@Whitekitty2012 DMing @BKitty2020 an image -- Twitter works very hard to protect this image from access by third parties.

@Whitekitty2012 DMing @BKitty2020 a video -- unlike the image above, this video has no HTTP protection.

We have created a simple example that demonstrates that while Twitter goes to great lengths to protect images shared in direct messages (DMs), the videos shared in DMs enjoy no such protections.  Both image and video URLs are named based on hashes and would be difficult if not functionally impossible to guess:  

Image URL: https://ton.twitter.com/i/ton/data/dm/1600870219324465156/1600870190459256832/KM0EBzij.jpg:small

Video URL: https://video.twimg.com/dm_video/1600877027330064385/pl/320x180/Vn4h39llbQ0jfr1D.m3u8?container=fmp4 

However, if the URLs are somehow leaked (e.g., guessing, reverse engineering, brute force, exported through HAR files, intercepted by proxies), twitter.com protects the DM images from unauthorized HTTP access through session-specific cookies, but the DM videos are available for anyone to access with no HTTP protection.  In short, videos in DMs are protected only through their opaque URLs.  

Right clicking on the URL and choosing "Copy as curl" reproduces the HTTP request your browser used to request this image.

In the screenshot below, right-clicking on the image URL  and selecting "Copy as curl" allows one to reproduce the request sent by the browser to the server.  The example uses the HTTP cookie from  @Whitekitty2012 and if that session is closed, the URL is no longer accessible:

If a user who is logged in but not part of the DM conversation attempts to access the URL, the server will return a 404.  After the session has ended, the server will eventually not even return an HTTP response for the image; it will just silently fail.  

Even though Twitter DM images have opaque URLs, Twitter works very hard to protect access to image URLs: they are protected by session Cookies and cannot be accessed if the session is not active or if members outside of the conversation attempt to access the URL.  

Twitter DM videos are also opaquely named, but there is no HTTP protection for their URLs.  The screenshots below show the browser dev tools, and right-clicking on the "m3u8" file.  

Right-clicking on the .m3u8 file.

The same image as above, just scrolled down.

Right-clicking on the video URL and selecting "Copy as curl" allows us to get the Media Playlist for the Fragmented MP4 file (RFC 8216):

The shared image, White Kitty (background) and Black Kitty (foreground).

The reported issue; triaged & closed.