TrueCoach video deletion bug

April 26, 2020: Following a 90-day responsible disclosure policy, I am disclosing my finding that TrueCoach, a service used by online coaching businesses, apparently fails to actually delete videos when users press the “delete” button. I first verified this on January 27, 2020 by using a web browser to record the CloudFront URLs used to replay these videos, then using the TrueCoach web app to delete these videos, and observing that the CloudFront URLs continue to work at least three months later.

Why is this a problem? Well, imagine if you had accidentally uploaded a sensitive video. In any case, when a service claims to have deleted anything you uploaded, it should ideally honor that.

The following is my 90-day email trail with TrueCoach:

Unfortunately, I found that the video I deleted on Jan 27, 2020 continues to be available. Videos I deleted today continue to be available, although that may be due to a temporary CloudFront caching policy. I understand the coronavirus may have affected fixing this issue, and I look forward to continue working with TrueCoach to make sure that videos are at least ostensibly deleted.

The problem with online services — not unique to TrueCoach — is that you can never be sure if something is truly deleted, but that is a different story for a different day.

May 8, 2020: Although their lead backend developer Adam responded publicly to me that they have rolled out a fix, the original problem remains where a user is not able to properly delete a single video. Therefore, it follows that a user cannot delete all videos as yet unmarked as deleted. Furthermore, all videos marked as deleted are as yet actually undeleted, which may accidentally have implications for GDPR compliance.

Therefore, until such time as TrueCoach rolls out fixes for the problems I outlined above, I unfortunately cannot recommend them to users who care about privacy.