Protecting your business online used to be more simple.
You had your IPs, domains and devices; there wasn’t much more to it.
But in the race for companies to get more eyes on products faster than ever and to as big an audience as possible, companies are forgetting one of security’s age-old lessons.
That is, when you involve humans and secrets, the secrets will inevitably leak.
In this week’s edition of HackedIN, we look at the attack surface that’s hidden in plain sight – literally ๐บ
That is videos.
Humans Leaking Secrets on Video Isn’t a New Thing
You’ve all probably seen it at least once in your life: a random news interview with someone talking on live TV while they have a Wi-Fi password printed on the wall behind them.
It’s hardly a rare occurrence.
Here are just a couple of examples from the last few years ๐
A Password for the Hawaii Emergency Agency Was Hiding In a Public Photo, Written On a Post-it Note
In 2018, An alert about an incoming ballistic missile sent Hawaii into a panic until emergency officials announced that the message had been sent in error.
Officially unrelated to the incident but interesting nonetheless, a few weeks later, an Associated Press photo resurfaced on X (Twitter).
In it, the agency’s operations officer posed in front of several computer screens. Attached to one was a password written on a Post-it note.
The photo raised questions about the approach to information security at the agency. (On the other screen, another note reminds the user to “SIGN OUT.”)
Crypto Influencer Loses $60,000 After Accidentally Showing His Private Keys During Live Stream
It’s not always so funny.
Just as a Brazillian crypto streamer fraternidadecrypto recently found out.
During a livestream, he opened a notepad file on his computer containing the private keys connected to his cryptocurrency accounts.
For the non-crypto readers, this would be like opening your notes on your phone during a live stream and showing your login details to all your accounts.
โIt went so fast and I got really bad. When I went to transfer the assets, an error sign appeared. I couldnโt believe that I was going through this”
It’s All Fun And Games Until It Happens To You
As much as we joke about these types of slip-ups, they’re far from the exception.
I spent around 3 hours reviewing video demos from yet-to-be-named companies.
During this time, I found 12 AWS key exposures, 2 SSH passwords with keys, and 4 Azure tokens, all of which worked to different extents.
The Takeaways
The Permanence of Mistakes
What sets video leaks apart is their longevity.
Unlike verbal slips or temporary lapses, video footage gets archived, often remaining accessible indefinitely.
The problem gets compounded when the asset exposed by the leaked credential is forgottenโmuch like the video itselfโyet remains vulnerable.
The Attacker Never Sleeps
These incidents highlight a certain reality: You might not always be the victim, but the attacker is always watching.
Reevaluating Your Attack Surface
Companies must come to grips with the fact that their attack surface is no longer confined to hardware, apps and IP addresses.
Your human resources, marketing channels, and even promotional videos all offer ways to break into your business under the right circumstances.
The next time you’re about to hit ‘Record’ on a product demo or webinar, think long and hard about what you’re genuinely putting on display.