Video Killed the Security Star
Posted: Tuesday, Feb 06

i 3 Table of Contents

Video Killed the Security Star

Protecting your business online used to be more simple.

You had your IPs, domains and devices; there wasn’t much more to it.

But in the race for companies to get more eyes on products faster than ever and to as big an audience as possible, companies are forgetting one of security’s age-old lessons.

That is, when you involve humans and secrets, the secrets will inevitably leak.

In this week’s edition of HackedIN, we look at the attack surface that’s hidden in plain sight – literally ๐Ÿ“บ

That is videos.

Humans Leaking Secrets on Video Isn’t a New Thing

You’ve all probably seen it at least once in your life: a random news interview with someone talking on live TV while they have a Wi-Fi password printed on the wall behind them.

It’s hardly a rare occurrence.

Here are just a couple of examples from the last few years ๐Ÿ‘‡

A Password for the Hawaii Emergency Agency Was Hiding In a Public Photo, Written On a Post-it Note

In 2018, An alert about an incoming ballistic missile sent Hawaii into a panic until emergency officials announced that the message had been sent in error.

Officially unrelated to the incident but interesting nonetheless, a few weeks later, an Associated Press photo resurfaced on X (Twitter).

In it, the agency’s operations officer posed in front of several computer screens. Attached to one was a password written on a Post-it note.

The photo raised questions about the approach to information security at the agency. (On the other screen, another note reminds the user to “SIGN OUT.”)

Crypto Influencer Loses $60,000 After Accidentally Showing His Private Keys During Live Stream

It’s not always so funny.

Just as a Brazillian crypto streamer fraternidadecrypto recently found out.

During a livestream, he opened a notepad file on his computer containing the private keys connected to his cryptocurrency accounts.

For the non-crypto readers, this would be like opening your notes on your phone during a live stream and showing your login details to all your accounts.

โ€œIt went so fast and I got really bad. When I went to transfer the assets, an error sign appeared. I couldnโ€™t believe that I was going through this”

 

It’s All Fun And Games Until It Happens To You

As much as we joke about these types of slip-ups, they’re far from the exception.

I spent around 3 hours reviewing video demos from yet-to-be-named companies.

During this time, I found 12 AWS key exposures, 2 SSH passwords with keys, and 4 Azure tokens, all of which worked to different extents.

The Takeaways

The Permanence of Mistakes

What sets video leaks apart is their longevity.

Unlike verbal slips or temporary lapses, video footage gets archived, often remaining accessible indefinitely.

The problem gets compounded when the asset exposed by the leaked credential is forgottenโ€”much like the video itselfโ€”yet remains vulnerable.

The Attacker Never Sleeps

These incidents highlight a certain reality: You might not always be the victim, but the attacker is always watching.

Reevaluating Your Attack Surface

Companies must come to grips with the fact that their attack surface is no longer confined to hardware, apps and IP addresses.

Your human resources, marketing channels, and even promotional videos all offer ways to break into your business under the right circumstances.

The next time you’re about to hit ‘Record’ on a product demo or webinar, think long and hard about what you’re genuinely putting on display.

Jamie O'Reilly
With over 12 years of experience in information security, Jamie specialises in application security, cryptography, secure design & secure application development. Jamie has worked collaboratively with international enterprise and government organisations including: Adobe, The RAND Corporation, Riot Games, Evernote, General Motors, Etsy, Firefox, CERN, Vidyo, Australian Signals Directorate and more to achieve business goals and evolve the way that these organisations approach security.
Share This