Video-editing upstart bares users' raunchy flicks to world+dog via leaky AWS bucket
Lock the front door, you chumps
A British video-editing startup exposed what is claimed to be "thousands" of user-uploaded videos, including family films and home-made pornography, in an unsecured Amazon AWS bucket.
Research by Noam Rotem and Ran Locar, for security biz vpnMentor, revealed that VEED.io left an AWS bucket completely unsecured and hosting what they summarised as "10,000s of videos" that were accessible to anyone visiting the bucket's URL.
VEED bills itself as an online video-editing service that lets users add subtitles, text, effects and more to uploaded videos. A free tier allows this to be done for videos in 240px quality; anything better than that needs a subscription.
Rotem and Locar found that one could visit the landing page hosting the videos with a web browser and theoretically look through them at one's leisure without needing to provide login details.
"The breached database compromised the privacy of every VEED user, exposing all content uploaded to the platform in its raw, unedited form. This included private videos of a very sensitive nature," the pair said.
The videos were said to include "marketing material, family videos, and even home-made pornography".
According to VPN Mentor, VEED ignored attempts in mid-October to alert them to the breach, nor did it respond to The Register's questions when we contacted it through Twitter earlier this week.
Having waited seven days with no reply from VEED, Rotem and Locar contacted Amazon directly, which closed off public access to the bucket nine days later.
"Criminals and malicious hackers could these videos against their creators to target them in various ways, with ruinous consequences, personally and financially," said VPN Mentor, quite correctly pointing out that "private, intimate, home-made pornography is a valuable tool in blackmail and extortion".
There is no mitigation for VEED users: because the videos were left online for anyone to view and download, changing your password and all the standard security advice that normally applies for a data breach won't have any effect here. All you can do is hope that nobody's downloaded your self-starring grumble flicks and recognised you. Contacting VEED itself would be a good idea but if the firm ignores both security researchers and questions from the media, this suggests they probably won't bother answering customer questions.
The Israeli security research duo have revealed quite a few data breaches, including the Suprema Biostar 2 breach of August that revealed 27 million personal data records and the leaking of 20 million Ecuadorians' data from a database hosted in Miami, Florida. Their report into Veed can be read on the VPN Mentor website. ®