Video streaming site Kanopy leaks API and website access logs

• The security issue was discovered by security researcher Justin Paine the previous week.
• The database, which exposed API logs, as well as website access logs, did not have any form of authentication.

A publicly accessible database exposed viewing habits of the users of the streaming site Kanopy. According to security researcher Justin Paine, the site’s Elasticsearch database had no authentication, leaving user logs out in the open.

It is believed that the database might have been left exposed since the beginning of this month. As of now, Kanopy has remediated the issue after it was informed by the researcher.

The big picture

• Kanopy is an on-demand video streaming website that offers classic movies and documentaries for free to academics.
• The site’s authentication-less database reportedly slipped out API & website access logs in large numbers.
• According to Paine, it was leaking around 26-40 million log lines every day since March 7th.
• Website access logs included data such as user location, TLS version used, client IP and many more.
• API logs also had similar information but were referring to specific public libraries and academic institutions.

Why it matters - All of the openly available logs could have been used to find out identities of Kanopy users, Paine explained in his blog.

“Based on the client IP a bad actor (via the API logs or the web server logs) could have identified all videos searched for and/or watched by their client IP. In combination with the geo information, timestamp, and device type it likely would have been possible to identify the identity of a person behind that client IP (in the case of a static IP from their ISP),” Paine wrote.

After Paine contacted Kanopy, the Elasticsearch database was taken offline on March 18. In addition, the company fixed the security issues in the server on which the database was hosted.