Twitter DM Videos Are Accessible to Unauthenticated Users

TL;DR

This paper reveals that Twitter Direct Message videos are accessible to anyone with the URL, unlike images which are protected, highlighting a security flaw in Twitter's handling of DM video content.

Contribution

The study demonstrates that Twitter DM videos are publicly accessible via their URLs, exposing a security vulnerability not present in image sharing within DMs.

Findings

DM videos are accessible without authentication.

DM images require session-specific cookies for access.

DM videos can be archived or shared outside Twitter.

Abstract

Videos shared in Twitter Direct Messages (DMs) have opaque URLs based on hashes of their content, but are otherwise available to unauthenticated HTTP users. These DM video URLs are thus hard to guess, but if they were somehow discovered, they are available to any user, including users without Twitter credentials (i.e., twitter.com specific HTTP Cookie or Authorization request headers). This includes web archives, such as the well-known Internet Archive Wayback Machine, which can be used to move DM videos to domains outside of twitter.com. This lack of authentication for DM videos is in contrast to Twitter's model for images in DMs, which also have opaque URLs but require a session-specific HTTP cookie shared only between the DM participants. We review a minimal reproducible example of an image and video shared between two demo accounts, and show that while the image is protected from unauthenticated access as well as from an authenticated third party, the video itself is persistently available for any user who knows the URL.