Dark Web News Analysis
A threat actor has released a sample dataset allegedly obtained from the Kaltura Video Platform, specifically targeting the instance used by Queen Mary University of London. The leak, currently a 8 GB sample, reportedly utilizes an Open API vulnerability to scrape private video content.
Brinztech Analysis:
- The Vulnerability (Insecure API / IDOR): The breach appears to stem from an Insecure Direct Object Reference (IDOR) or a lack of access controls on the Kaltura API. The threat actor is likely iterating through “Media Entry IDs” (sequential or guessable video identifiers) to query the API. If the API endpoint does not validate if the requestor has permission to view that specific Entry ID, it returns the download link for the video file, regardless of its privacy setting.
- The Data: The exposed content is highly sensitive for an educational institution:
- Intellectual Property: Recorded lectures and course materials.
- Student Privacy: “Private discussions,” student presentations, and potentially sensitive 1-on-1 supervision meetings recorded on the platform.
- PII: Student IDs, names, and faces visible in the video feeds.
- The Scale: While the sample is 8 GB, the method described (scraping via API) allows for the exfiltration of the entire video repository (potentially hundreds of terabytes) if the API endpoint is not secured immediately.
- The Wiki Factor: The news highlights that “publicly accessible documentation” (a wiki page) aided the attackers. This suggests the university or Kaltura may have inadvertently published API keys or internal endpoint documentation that guided the attackers on how to structure the malicious queries.
Key Cybersecurity Insights
This incident highlights a critical flaw in how educational institutions secure vast multimedia repositories:
- “Security by Obscurity” Failure: Relying on “unlisted” links or obscure Media Entry IDs is not security. Automated scrapers can test millions of IDs per hour.
- API Misconfiguration: APIs are often the path of least resistance. A video platform might be secure at the front-end (requiring a student login), but its back-end API might be wide open to any request that knows the correct URL structure.
- Privacy Violation (GDPR): Queen Mary University is subject to GDPR. The leak of video recordings featuring students (faces and voices) constitutes a breach of biometric and personal data, carrying significant regulatory fines and reputational damage.
- Doxxing & Harassment: Private discussions or disciplinary hearings recorded on the platform could be weaponized for harassment or doxxing of students and staff.
Mitigation Strategies
In response to this leak, Queen Mary University and other Kaltura administrators must take immediate defensive action:
- API Security Hardening (Immediate): Audit all Kaltura API endpoints (e.g.,
/api_v3/). Ensure that “Anonymous” access is disabled and that every API request requires a valid, authenticated session token (ks) with specific permissions for the requested Entry ID.
- Rate Limiting: Implement strict rate limiting on API calls. A single IP address requesting thousands of Media Entry IDs in rapid succession should be automatically blocked.
- Rotate API Secrets: If the breach was facilitated by keys found in a public wiki, immediately rotate all Kaltura Administrator Secrets and Partner IDs.
- Data Loss Prevention (DLP): Configure the video platform to restrict downloads. Ensure “Download” privileges are removed for standard users and reserved only for content owners or admins.
Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.
Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com
Like this:
Like Loading...
Post comments (0)