Brightcove: Ooyala Is Spreading Lies About Our Security

UPDATED According to white-label video management company Brightcove, rival Ooyala has been sending misleading information to Brightcove customers and the press, issuing a packet of information that purports to expose potential security vulnerabilities related to its media API. Brightcove says it has had at least two clients come forward with the documentation, which includes four PDF files detailing an alleged security hole that Ooyala says could enable a hacker to access Brightcove clients’ media files.

At issue are the tokens that are accessed any time a Brightcove video is requested by its media API. Because some Brightcove customers use unlimited-usage tokens for read access of their files, once that token is exposed, Ooyala says it could be used to access any files that a customer is managing in the Brightcove system — even those that have not been published or those that are intended for internal communications only. In its documentation, Ooyala likens the use of these reusable tokens to “exposing a permanent username and password whenever an API call is made from the client.”

Brightcove rebuts the claim that its token-based system inherently puts its customer assets at risk, saying that customers are in “complete control” of how the token is accessed, and that many choose to make read access to their files available through the API in the same way that they make metadata available through public RSS feeds.

In an emailed statement sent to NewTeeVee, a Brightcove representative wrote:

“We enable our customers to select a variety of settings to utilize our features, each of which provide different levels of security. We offer settings / choices that include best-of-breed security technology and recommendations and best practices on how to utilize these settings. If a customer does chose to embed the token, then by definition, they are OK with the limited read-only access that providing a token entails. It’s not a security issue at all, as their media assets are not vulnerable. Again, this is all documented behavior. The API is flexible enough to allow the customers to choose and implement whatever level of access they want. There should be no surprises. It’s also worth noting that this read-only view of metadata is no different than Google’s read-only view via text indexing, RSS feeds for video content, or a video sitemap.”

While dismissing the alleged security hole, Brightcove vice president of marketing Jeff Whatcott said Ooyala’s handling of the situation was in “bad form” and “unethical.” Rather than informing it about the potential security risk, Ooyala decided instead to try to use the information to win over Brightcove clients. “They way they’re handling it is completely outside the norm. Even if there was a risk, which there’s not, they would be putting more clients at risk by spreading it this way,” Whatcott said.

Brightcove CTO Bob Mason added, “There should be a code of best practices and ethics where we are jointly working together in the industry as a whole to protect our clients, and these tactics are 100 percent counter to that,”

Ooyala CTO Sean Knapp acknowledged that his company had sent the PDFs to some Brightcove clients, but said that his company was trying to educate customers about issues that could arise from making read-access tokens available on the client side.

“First, they’re a competitor of ours and they’re not doing anything to help out Ooyala. Second, they don’t see this to be an issue, but if you tap any security expert in the industry, they would say that this is a terrible practice,” Knapp said. “People don’t quite fully understand the security risk, but as soon as someone has access to the account and has access to the token, at that point their content is fully available.”

While Knapp said that he hopes Brightcove “fixes this issue,” he also noted that security is a positive differentiator for Ooyala. To underline that point, the video management firm issued a press release earlier this week touting support for token-based authentication of its own customer’s video assets.

Update: Brightcove’s Jeff Whatcott has written an extended entry on his view of this skirmish on the Brightcove blog.

Related content on GigaOM Pro:

Report: Monetizing Digital Content (subscription required)


Comments have been disabled for this post