Skip to main content
Documentation & User Guides | Fotoware

Do FotoWeb's video URLs pose a security risk?

Fotoware Support has received input from Fotoware users questioning the security of exposing the video URL to the user.

This is the reassuring reply from our developers:

In order to play a video, you need a URL of the video so your browser can download it. Also, if you can play a video, you can theoretically download it and pass it on to anyone. This is how the web works, and there is no effective protection against any of this.

The URL of the video contains a secret ID, and the link to a video is only revealed to the user who has access to the video. While this link is valid permanently, it is only valid for one particular version of the video. If its content is modified, a new URL with a new ID is generated, so only users with access to the video can get the URL of the new version. Since the user with access to play the video could also download it, reducing the lifetime of these links would not be an effective protection.

Part of the secret ID is a 5-byte (40-bit) random value, so there are 1,099,511,627,776 possible random values, which we believe makes a brute-force attack to get videos very expensive (considering that anyone attempting this also needs to guess the filename and the remaining, non-random, part of the unique ID).

The key takeaway: No need to worry.

  • Was this article helpful?