Saturday, June 25, 2016

Bug hunting story - Vimeo - XSS

Vimeo was other big player, lucky enough to become my bug hunting target :)

A couple of trivial ones like: http://vimeo.com/help/search?q=%27%22+onmouseover%3D%22alert%28%27Hacked+by+Dawid+Ba%C5%82ut%27%29%22
some required a bit of user interaction e.g. moving mouse over profile picture, but still not very challenging.

A few PoC videos below:





And something for QA folks:
If I uploaded a video with a name '">;whatever. then html in e-mail notification about (un)successful video upload was broken. Email notifications tend to be less secured and tested as a whole so this should be a good motivation for you to inspect emails either:



My experience with Vimeo?
Replied after a few days, fixed the vulns within a week, so that was positive.
The manager I spoke with - very nice person btw - offered me a premium account for those findings, but I'm not a Vimeo user so I refused, but definitely appreciated that.
It leaves a really good feeling when someone shows appreciation of my work.
Hi there,
Thanks very much for telling us about this! Our developers looked our code over and will be making changes to prevent this going forward. If you don’t mind, please leave your account as-is so they can continue to reference the examples you provided.

We really appreciate it! If you’d like to create a new Vimeo account I’d be happy to provide you with a free year of Vimeo Plus for your efforts :)
Sincerely,
Matt S
Senior Manager, Content + Community
Vimeo

No comments:

Post a Comment