|
|
|
|
|
|
by kevincox
1980 days ago
|
|
|
This seems something trivial to miss. The developer is asked to put the player into a page that has basically just the player and exposes and API. The API should allow playing videos and playlists. They do the obvious thing and it all works. The fact is that the security here wasn't the default. They need to explicitly realize that this allows the website to list playlists and consider that this should not allow listing the playlist with the user's credentials. This seems like an incredibly likely vulnerability to me and I am not surprised that even "elite" programmers missed it. |
|
|
Was that a typo? Seems to me it should be an incredibly UNlikely vulnerability for "elite" programmers to miss it. If you meant that as written I don't understand it; please explain.