Twitter DM Videos Are Accessible to Unauthenticated Users

Videos shared in Twitter Direct Messages (DMs) have opaque URLs based on hashes of their content, but are otherwise available to unauthenticated HTTP users. These DM video URLs are thus hard to guess, but if they were somehow discovered, they are available to any user, including users without Twitter credentials (i.e., twitter.com specific HTTP Cookie or Authorization request headers). This includes web archives, such as the well-known Internet Archive Wayback Machine, which can be used to move DM videos to domains outside of twitter.com. This lack of authentication for DM videos is in contrast to Twitter's model for images in DMs, which also have opaque URLs but require a session-specific HTTP cookie shared only between the DM participants. We review a minimal reproducible example of an image and video shared between two demo accounts, and show that while the image is protected from unauthenticated access as well as from an authenticated third party, the video itself is persistently available for any user who knows the URL.