Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security with vimeo domain privacy and <iframe>

In our App users can subscribe to get access to "premium videos". We use vimeo to host all those videos using that domain protection setting that only allows our videos to be embedded in a specific domain.

Our situation:
If a ill-intended user subscribes for a month and use that access to get all the private videos IDs (something around 1500) using Firebug, chrome inspect or another tool like that, he can manually insert an iframe on our login page and since it's on the domain that is allowed by vimeo, the private video will play without any restriction.
Making use of the stolen ids he can then create a plugin that can list all of our private videos for free on our own site :(
Here's a code sample that someone can use to play a video on our domain just by inserting it using chrome inspect:

<iframe src="https://player.vimeo.com/video/{any video ID including our domain protected ones}" width="640" height="640" frameborder="0" allowfullscreen=""></iframe>

My question:
Is there a way to avoid or make it harder for someone to do this?
A possible solution that we could think of was to create another domain to use as the domain for the videos (avoid using the same as login), but its possible to get that new domain on the network tab of chrome anyway.

P.S: I don't know if that's relevant but we are using PhoneGap/Cordova to develop the app.

like image 896
Edurox Avatar asked Jul 28 '18 02:07

Edurox


1 Answers

After a research and a few answers from vimeo support we found a solution that works for our case.
Since there's no way to stop people from downloading your videos if they have access to them, we changed our strategy from using domain protection to direct video link/url (you need to upgrade your vimeo account to PRO or BUSINESS).
When you get a direct video url (like https://player.vimeo.com/external/...) and open it in a browser it redirects you to a temporary Url (answer from vimeo: "Both the files and download links are HTTP 302 redirects to the actual video file resources. The location of the actual video file resources expires every few hours, so make sure you always use the redirect links we provide."). We can then use this temporary url in html5 video tag and play our videos.

Notes:

  1. If a user steals our urls it will only work for a few hours and that way he wont be able to build a site with our videos using our Urls.

  2. Unfortunately someone with some knowledge in web can download the videos easily using that direct video link, but since we can't avoid the videos to be downloaded anyway that wont be a big deal.

  3. We need to get the temporary url server side, because we don't want anyone to access the original direct url (like https://player.vimeo.com/external/...).


Here's a code example in c# that gets that temporary url (based on this):

  var url = "https://player.vimeo.com/external/...";
  HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(url);
  webRequest.AllowAutoRedirect = false;  // IMPORTANT
  webRequest.UserAgent = "youruseragent";
  webRequest.Timeout = 10000;           // timeout 10s

  // Get the response ...
  using(var webResponse = (HttpWebResponse)webRequest.GetResponse()) {
    // Now look to see if it's a redirect
    if((int)webResponse.StatusCode >= 300 && (int)webResponse.StatusCode <= 399) {
      string uriString = webResponse.Headers["Location"];
      System.Diagnostics.Debug.WriteLine("Redirect to " + uriString ?? "NULL");
    }
  }


like image 100
Edurox Avatar answered Oct 19 '22 01:10

Edurox