The previous system had overly weak protection against gaining access to arbitrary unlisted content. I don't think the approach they're taking to deploying a security enhancement is the wrong one.
This Tweet is from a suspended account. Learn more
Conversation
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
If someone doesn't act on a notice about their content, I don't think the right move is their likely private content not being properly secured.
It's quite unfortunate that they apparently had a serious security design flaw in the previous system though. I wonder how old it is.
1
I don't see a better option than requiring people to either make the content public to keep the current URL or use a new properly secured system for sharing it.
They would be doing users a major disservice if they required taking action to avoid potential compromise of data.
1
Do you know if anything is actually known about this apparent vulnerability? Like I guess maybe the urls are pseudorandomly generated using channel id or something?
1
I wouldn't be surprised if they made a blog post about how they secured it after the change is fully deployed and they don't have remaining services using the old system.
I fully understand how them changing this is disruptive but I do really think this is important to fix.