I believe that I have found an issue with the paid content on Bullseye’s site, an issue that would allow unpaid access to paid content.
I am currently working with Richard Parrish on his upcoming video for Bullseye, and I stumbled across this while researching techniques to add chapters to the video, as requested by Bullseye. I have previously purchased content from Bullseye, and am a current subscriber, so I have access to his paid video.
While examining the code for the Tapestry video, I noticed that the code for the video player included a link, which I copied and pasted in a new browser window. The Tapestry video began to play.
There are several examples on this page. Please take a look at this video to understand the issue:
Sample 1: Video from Paid Online Video
The example below is showing Richard Parrish’s video from Bullseye’s videos.bullseyeglass.com site, embedded in my katadair.com website. Bullseye’s paid website content is using Brightcove’s video player on the website to provide users with for-pay video content. In most cases, an embedded video will have DRM (digital rights management) in place to prevent this from happening. It looks like steps were taken to implement Brightcove’s player, which is supposed to have security measures, on Bullseye’s website for the videos, but it’s not working correctly. There is possibly an issue with the BrightCove Video Connect Plugin for WordPress, or there may be a misconfigured setting that is allowing this.
How I Tested This:
I was logged in as a purchaser of the Tapestry course ($125 version, not hybrid course). This is the link: https://videos.bullseyeglass.com/videos/master-class-tapestry-with-richard-parrish/
I used Chrome’s Inspect Element feature, which showed the link to the embedded player. From the menu, View —> Developer —> Inspect Elements. I clicked on the player in the left-hand panel to locate the associated code.
I copied the location/link of the player. The link to the video is not encrypted or hidden.
I was able to view Richard’s video in another browser that was not logged into Bullseye, and was able to send a text containing the link to Richard’s video with my partner, Kim Brill. As you can also see here, I was able to use Squarespace’s embed feature to place this video in a page my own website.
I tried this with several different browsers, and each one allowed access (Safari, Chrome, Firefox). I was only able to access the developer code through Chrome and Firefox.
Sample 2: Video from Free Videos
This is a sample from the free videos on videos.bullseyeglass.com. The code contained the same Brightcove link.
Sample 3: Video from Subscription Videos
Videos from courses on videos.bullseyeglass.com that are subscription use the same Brightcove player, and are therefore vulnerable, just as the paid videos.
Sample 4: Video from Online Hybrid Course on Bullseye’s Site
Videos from courses on classes.bullseyeglass.com are handled differently, at least on the videos I have access to. There is a link to Vimeo in the handout, and a password is provided in the handout. These seem locked down.
Sample 5: Alicia’s Video from Bullseye’s Site
Sample 6: Sharing a Brightcove Bullseye Video through Facebook
Although it does not show a preview of the video, the link to players.brightcove.net will take the user directly to the video (this is just an image, not a link). I have not tried other social media sites yet.
Sample 7: Video from Kim+Kat Glass through Teachable’s Learning Platform
This example from the Kim+Kat site DID actually show the video briefly, but then changed to an error. Our videos won’t play outside the Teachable platform.