![]() Using this loophole, rogue actors were able to play the paid content for an unlimited time.įree-timer flow (backend) Preventing Abuse The subsequent playback request using this new token was successfully getting the playback content, since in backend (free timer checking service), we didn’t find the identifier (as it was new). So, they got a new guest token which had a new identifier. Whenever the free timer ended, these rogue actors were calling the API for creating a new guest user. Malicious actors devised a way of getting around the free timer check. When a “playback” request comes from a guest user, we check whether the identifier of the guest user (given in the request) has already availed the free timer or not. The guest token has a unique identifier which is used to uniquely identify a customer. A “guest” is a user who hasn’t logged into the product yet, and so has a “guest token”. The free-timer was given to a “guest” user. After the timer ended, they were shown a paywall. It was heavily used during popular events. This helped new customers experience Hotstar without spending upfront. Using the free-timer, a “guest” user could avail a paid content for a few minutes (typically 5 mins). ![]() The product has a feature called the “free-timer”. Initially, the rate limiting system was introduced for a very specific use-case. ![]() You can skip and go ahead to the implementation section if you want to. NOTE: This section will talk in length about the story behind the need for a “custom” rate limit system which our API Gateway couldn’t suffice for.
0 Comments
Leave a Reply. |