Twitter DM Videos Are Accessible to Unauthenticated Users

by   Michael L. Nelson, et al.

Videos shared in Twitter Direct Messages (DMs) have opaque URLs based on hashes of their content, but are otherwise available to unauthenticated HTTP users. These DM video URLs are thus hard to guess, but if they were somehow discovered, they are available to any user, including users without Twitter credentials (i.e., specific HTTP Cookie or Authorization request headers). This includes web archives, such as the well-known Internet Archive Wayback Machine, which can be used to move DM videos to domains outside of This lack of authentication for DM videos is in contrast to Twitter's model for images in DMs, which also have opaque URLs but require a session-specific HTTP cookie shared only between the DM participants. We review a minimal reproducible example of an image and video shared between two demo accounts, and show that while the image is protected from unauthenticated access as well as from an authenticated third party, the video itself is persistently available for any user who knows the URL.


page 3

page 18


Russo-Ukrainian War: Prediction and explanation of Twitter suspension

On 24 February 2022, Russia invaded Ukraine, starting what is now known ...

TwitterMancer: Predicting Interactions on Twitter Accurately

This paper investigates the interplay between different types of user in...

Aesthetic Bot: Interactively Evolving Game Maps on Twitter

This paper describes the implementation of the Aesthetic Bot, an automat...

Discovery of the Content and Engagement with the Content

In the second half of the 20th century, Parliament allowed broadcasters ...

Perceiving QUIC: Do Users Notice or Even Care?

QUIC, as the foundation for HTTP/3, is becoming an Internet reality. A p...

Please sign up or login with your details

Forgot password? Click here to reset