Loom leaks private video snippet clips, as a feature [fixed]
Loom built a really easy tool to record your screen together with a recording of yourself. Great for creating and sharing screen recordings on issues or solutions. I've been a paying user myself for a while now.
During Covid I recorded educational videos for the school class of my son. It featured my screen and me and my son as host. I made the video private because it showed not only my browser bookmarks and desktop files but also my son which I prefer not to appear on the web publicly.
Next to creating private recordings, you can also password protect your videos on Loom. That way you can share the link, but a video specific password is needed to view.
Both cases I expect my video content to be shielded from the public.
So I was surprised when I got a Loom summary email with an inline 5 sec video clip as a gif of my private video. My Spidey sense acted up immediately. I checked the source of this gif and was even more surprised the file url was not even signed. Even worse the file name of the video loop had the exact same ID as my private video.
So the private recording on Loom can be found here (note the url with the ID):
> https://www.loom.com/share/90d171e23d0e4771a535649871677669
This is what Loom makes publicly available for any (private/password protected) recording:
> https://cdn.loom.com/sessions/thumbnails/90d171e23d0e4771a535649871677669-00001.mp4
A 5 second high definition clip! In this case featuring my desktop, my bookmarks, my browser auto complete, my living room interior and my face. Lots of privacy sensitive stuff leaked in a 5 second public clip.
Let me list what is wrong with this:
- While the video is private, the url contains a unique video ID.
- Anybody can view the video snippet by changing the URL to the video ID you want to snoop on.
For a 6 year old company with 70M in funding that is not a simple oversight, that is a serious privacy issue.
Technically this could be solved by generating a long unique ID for the video snippet URL, or better would be by signing the url with a key that expires, or the best option to not even host a 5 sec clip on a public url for private recordings.
They choose none of the above.
So the first thing I did was sent a message to the founder of Loom who I was connected to on Linkedin and to security@loom.com. Both responded the same day that they were on the case. Good. But after 6 weeks of silence, I checked and saw nothing had changed. I asked what the status was and the Senior Security Engineer who I reported to had a single line response:
This is more of a product design choice. That being said we consider the security risk involved and is being internally discussed.
So there you have it. As a feature you get a public video snippet of your private screen recordings! Be aware, will not be fixed soon.
Update: After posting this, I got contacted again and told they reconsidered their stance and would fix it. Today (29 april 2021) they did fix the preview urls by replacing them with an expiring signed URL solving the issues raised. Good!
PS; I am aware Loom is built to easily record and create a public link of that recording as its key value proposition. But when you have the option to make a video private, you should take responsibility of actually taking that serious.