Michael Coates, the head of Web security for Mozilla, said he discovered several problems while trying to sign up for the US$395 service.
As he went through the sign-up procedure, he was "quickly sidetracked by a few oddities in the design," he wrote in a blog post describing the incident.
He poked around a bit more and discovered that he could register an account without providing anything more than an e-mail address, and then use that account on a test login page to access the videos for free.
"Now, to be fair, Black Hat didn't operate this video service themselves," Coates wrote. "But its still a bit ironic that the largest hacking conference in the world has this security hole in their video streaming service."
Black Hat's video streaming was provided by Inxpo this year.
This is the first year the conference has made video streaming of conference sessions available, Black Hat Director Jeff Moss said. Like other companies, the conference takes a risk when it works with third parties. "I'm always nervous about those systems, because we don't get access to their source code and we can't review it," he said. "We don't have time to write video streaming software, so we picked a vendor that we thought was good... apparently they'd never hosted a security stream before."
The hotel partners for Black Hat and its sister conference Defcon usually get a similar type of security penetration test when they start hosting the conferences. For the first year or so, the hotel's TV systems or phone lines will get hacked, and then they eventually lock things down. "It's kind of like their trial by fire: Welcome to Black Hat," said Moss.
Coates said that he notified the video streaming company before blogging about the issue, and they quickly fixed the bugs. Inxpo couldn't immediately be reached for comment.
Moss, who runs a conference devoted to the disclosure of security problems, had nothing but praise for Coates' security find. "Well good for him, that's cool," he said. "If you can't protect your stuff, that's what happens."