How I Found 20 Security Vulnerabilities in a Major OTT Streaming Platform

Introduction

In May 2026, I conducted an independent black-box security assessment of a major South Indian OTT streaming platform using only publicly available tools such as Chrome DevTools, HAR file analysis, and standard HTTP testing utilities.

During the assessment, I identified 20 security vulnerabilities across the platform's web application, REST APIs, CDN infrastructure, and DRM implementation.

Among these findings were two critical vulnerabilities that, when combined, allowed a complete bypass of the platform's subscription system. Premium DRM-protected content could be streamed without authentication or an active subscription.

This article summarizes the research process, key findings, attack chains, and lessons that streaming platforms should learn from these architectural failures.

Responsible Disclosure Notice:_ All sensitive information, including API endpoints, encryption keys, CDN paths, and token structures, has been redacted. The complete technical report was privately disclosed to the platform before publication._

Scope and Methodology

The assessment focused on:

• Web Application
• REST API Infrastructure
• CDN Delivery Layer
• DRM Systems (Widevine, PlayReady, FairPlay)

Testing Methodology

The assessment followed:

• OWASP Web Security Testing Guide (WSTG v4.2)
• OWASP Top 10 (2021)

Tools Used

• Chrome DevTools
• HAR File Analysis
• CryptoJS
• Shaka Player
• Custom Next.js Proxy
• curl

No server access was used during testing, and no user data was accessed.

Findings Overview

SeverityCountCritical2High4Medium8Low3Informational3Total20

The assessment revealed architectural weaknesses across three critical layers:

• API Gateway
• CDN Infrastructure
• DRM License System

Together, these weaknesses enabled complete subscription bypass.

Critical Finding #1: DRM License Endpoint Without Authentication

Severity: Critical (CVSS 9.1)

The DRM license endpoint issued valid decryption keys without verifying:

• User identity
• Subscription status
• Authentication tokens

Any client capable of generating a valid Widevine license challenge could receive content decryption keys.

Impact

A user without a subscription could obtain valid DRM licenses and decrypt premium content.

Recommended Fix

• Require authenticated bearer tokens
• Verify active subscriptions before license issuance
• Bind licenses to authenticated sessions

Critical Finding #2: Server Subscription Credentials Exposed Through Proxy

Severity: Critical (CVSS 9.3)

The platform's streaming proxy automatically attached server-side subscription credentials to outgoing CDN requests.

As a result, unauthenticated users could access premium content through the proxy.

Impact

The server effectively acted as a shared premium account for all users.

Recommended Fix

• Verify user sessions before proxying requests
• Use user-specific credentials instead of server credentials

How the Two Critical Vulnerabilities Combined

When chained together:

1. Premium content could be retrieved through the proxy.
2. DRM license requests required no authentication.
3. Decryption keys were issued to anyone.

Result:

Complete end-to-end premium content access without login or subscription.

High Severity Findings

Hardcoded AES Encryption Key

The platform shipped AES encryption keys directly inside client-side JavaScript bundles.

Anyone could extract the key using browser developer tools.

Why This Matters

If the key is publicly available in JavaScript, the encryption provides little real protection.

Wildcard CDN Token

The CDN issued long-lived wildcard tokens that granted access to all content paths.

Impact

A token obtained from free content could potentially be reused to access premium content.

Permanent Content UUIDs

Content identifiers never rotated and remained valid indefinitely.

Combined with weak token controls, these permanent identifiers increased long-term exposure risks.

Medium Severity Findings

Several additional weaknesses were discovered:

• Static AES initialization vectors
• Device registration bypass
• Long-lived session cookies
• Missing ownership validation
• Geo-restriction weaknesses
• Lack of rate limiting
• DRM challenge generation behavior
• Unauthenticated session-reset functionality
• Phone number enumeration

While individually less severe, these issues contributed to the platform's overall attack surface.

Example Attack Chains

Attack Chain A: Premium Access Through Free Account

1. Access free content
2. Obtain CDN token
3. Discover content identifiers
4. Request DRM license
5. Receive decryption keys
6. Stream premium content

Attack Chain B: Unauthenticated Streaming

1. Access streaming proxy
2. Proxy attaches server credentials
3. Premium content becomes available

Attack Chain C: Subscriber Enumeration

1. Query account status endpoint
2. Identify active subscribers
3. Perform credential-stuffing attempts
4. Potential account compromise

What the Industry Should Learn

1. Client-Side Encryption Is Not Security

If encryption keys are shipped to the browser, they should be considered exposed.

2. DRM Depends on License Server Security

Strong DRM technologies are ineffective if license endpoints lack proper access controls.

3. CDN Tokens Must Include Authorization Context

Access tokens should verify:

• User identity
• Subscription status
• Session validity

4. Server-Side Proxies Require Strong Validation

Proxy services inherit server privileges and must enforce strict authorization checks.

5. Rate Limiting Is Essential

Authentication systems should implement:

• Login throttling
• CAPTCHA challenges
• Account lockout protections

6. Permanent Resource Identifiers Create Long-Term Risk

Content paths and identifiers should rotate periodically to reduce exposure.

Recommended Remediation Roadmap

Immediate Actions

• Secure DRM license endpoint
• Protect streaming proxy endpoints
• Rate-limit authentication APIs
• Remove sensitive information from public endpoints

Short-Term Improvements

• Remove client-side cryptographic keys
• Rotate session tokens
• Implement ownership validation
• Restrict CDN token scope

Long-Term Improvements

• CDN path rotation
• Edge-level subscription validation
• Improved DRM authorization architecture
• Stronger session enforcement

Conclusion

This assessment demonstrated how multiple independent weaknesses can combine into a much larger architectural problem.

While individual vulnerabilities may appear manageable in isolation, improper separation between DRM systems, CDN infrastructure, and access control mechanisms can significantly increase risk.

The most important lesson is simple:

Security is only as strong as the weakest layer in the delivery chain.