bug: Unauthenticated sequential chunk download vulnerability allowing full video download

[ronxldwilson]

Describe the bug

Currently to prevent video downloads some of the videos implement a system in which small segments of videos are shared in chunks of 8 seconds. The issue is that these chunks are shared in a sequential incremental pattern.

This leads to anyone being able to download the entire video if they have know of the first chunk.

To Reproduce Steps to reproduce the behavior:

1. Find the first network request that is send to the server

Here if the user just increase from 0.ts to the last chunk number (in this case ...896.ts )sequentially they are able to retrieve all of the chunks

2. These chunks can easily be stitched together by even an unauthenticated user using a simple python script. Not sharing the script here to prevent from unwanted piracy issues.

3. Here is the proof of this being possible, resulting in download of the entire video.

Expected behavior Expected behavior for this should be:

1. Downloading of chunks should be restricted to only authenticated users.
2. Ideally with a rate limit to prevent both authenticated/unauth users form taking advantage of this.
3. Additionally the chunks name should be randomized in such a fashion that they can't just be easily guessed by incrementing last digit.

[1-Shyam-Agarwal]

I want to try this ... can i ?