[Andaith]

Surely it is a vulnerability?

The behaviour everyone likely expects, in twitter & android, is that if you send a video to one person directly, then only that one specific person be able to access it.

It's different if the UI makes clear that you're uploading an image to a website where it will be publicly available, but random people "probably" won't find it, and you can share the link with someone.

[ruskyhacker]

Technically I agree - it's just one of those things that quite a few platforms do... It's similar to the eufy stuff circulated about recently. User uploads XYZ, they expect it to be "private" - platform devs decide private == obfuscated via a super long file name (a bit layman, sorry) in some kind of object storage.

While there's definitely a method of securing the access to the uploaded content to those who should have access, it's often not implemented that way since your uploaded content would be statistically improbable to "guess" and even more improbable to tie it back to you.

I came off a little direct, straight up saying it was not a vulnerability without context. While I still stand by it not being a vuln from a sec perspective, it's definitely not great.

[NLPaep]

Part of the issue with Eufy is that they uploaded people’s content even when cloud backup was off. They also had the video stream unencrypted. It accepts an authentication token but never actually enforces it.