The previous system had overly weak protection against gaining access to arbitrary unlisted content. I don't think the approach they're taking to deploying a security enhancement is the wrong one.
This Tweet is from a suspended account. Learn more
Conversation
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
Do you know if anything is actually known about this apparent vulnerability? Like I guess maybe the urls are pseudorandomly generated using channel id or something?
1
I wouldn't be surprised if they made a blog post about how they secured it after the change is fully deployed and they don't have remaining services using the old system.
I fully understand how them changing this is disruptive but I do really think this is important to fix.