"The US Department of Defense, up until this week, routinely left its social media accounts wide open to hijackers via stream keys - unique, confidential identifiers generated by streaming platforms for broadcasting content. If exposed, these keys can allow attackers to output anything they want from someone else's channel. This was revealed by The Intercept's most recent investigation, published on Monday, which found that the Pentagon for years posted stream keys on its Defense Visual Information Distribution Service (DVIDS) website."
"The DVIDS website is open to the public and doesn't require an account to browse, and it hosts military and administration videos, along with a schedule of upcoming webcasts. Up until this week, it also exposed some stream keys to its Facebook, YouTube, and X channels, leaving its livestreams open to account takeovers: For example, Twitter stream keys were posted for the U.S. Cyber Command change of command ceremony live stream in 2018."
The Department of Defense routinely uploaded confidential streaming keys to the public DVIDS website, exposing unique identifiers for Facebook, YouTube, and X livestreams. Exposed keys could allow attackers to broadcast content from compromised channels, enabling account takeovers. Specific incidents include Twitter stream keys posted for a 2018 U.S. Cyber Command event, X and YouTube keys for a West Point commencement, and keys posted hours before a livestream of Defense Secretary Pete Hegseth in August. The DVIDS portal's sequential webcast URLs and simple searches could reveal the keys. The Defense Department implemented new stream keys and removed public sharing; cached old keys may persist.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]