Honestly, this is a simple bug, a react website, wiht source maps, so easy to find API endpoints the application calls. Upon examination one of them did not require any authentication, the event stream publishing events from the cameras in a redacted teleommunications company office. As far as the author shows us, the feed contained JSON that contained a base64 of the raw images being sent out periodically.

As a vulnerability its not interesting, and given how often people talk about just finding webcamera streams online, its not that surprising. Its just a reminder to sanity check the APIs, especially in my mind the “odd” endpoints. This one was a server-sent event and those edge cases can often have other unexpected rules applied to them.