Results 1 to 3 of 3

Thread: Security breach in HTTP streaming

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1

    Default Security breach in HTTP streaming

    I need fast solution because I discovered this loophole the hard way on the production environment which is now offline until this is fixed.

    This is the scenario:
    There is a security module (onHTTPSessionCreate) that checks if the user is authenticated when he requests the stream with the link:
    If the user is not authenticated session is rejected and no problem here.

    Now this is happening, an authenticated user requests the link and a chunklist is returned to him
    Then he opens the links in a player to keep the session opened, and then shares this links to other users.

    On server we noticed this behaviour when only one connection is shown active and the download speed was corresponding for more then 100 users.
    Running a test with 3 active connections on same session in the :8086/connectioncounts this was shown
    Also when openening the chunklist link directly
    the method onHTTPSessionCreate is not called, it is called only when first connection to the playlist is requested.


  2. #2



    If you believe you have found a vulnerability in the Wowza security section then please post your findings to This will raise a ticket and will be quickly looked at.

    Please include zipped up copies of,


    and any other content or detail which will help us to identify the problem.

    However, if you are running Wowza Streaming Engine (version 4x), you may wish to perform an update first as there may have been a relevant patch added,
    Software Updates
    How to apply a software update

    The update process will preserve your current configuration.

    Kind regards,


  3. #3


    Just to update the thread, it was resolved via ticket.

    The solution is to implement IVHostHTTPStreamerRequestValidator which will allow me to register all access even to the chunklist.


Similar Threads

  1. Muliti-bitrate playlist for HTTP Streaming vs HTTP Segmented stream
    By welbyobeng in forum Video On Demand Streaming Discussion
    Replies: 2
    Last Post: 06-09-2012, 04:10 AM
  2. Flash HTTP Streaming and Security
    By vnabet in forum General Forum
    Replies: 7
    Last Post: 12-20-2011, 01:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts