There is a vulnerability in
https://vimeo.com/[VIDEO_ID]?action=share that makes all Vimeo private videos available to anybody.
POC link : http://opnsec.com/vimeo/vl/videoLeak.php?video=[VIDEO_ID]
POC requirements : - No need to be logged in Vimeo - Because of sensitivity of this, I put a password on the POC : username : vimeo password : aS3cr3tP4$$wrD7854123
POC instructions :
1. Open the POC link replacing
[VIDEO_ID] by any Vimeo private video id (I believe all type of private videos are vulnerable)
2. Enter the username and password as per requirements
3. If the Vimeo video id is correct, no matter the status of the video, the video should start playing.
Technical description :
https://vimeo.com/[VIDEO_ID]?action=share is an Ajax link used to ask Vimeo for the "Share" code to embed the video
Because it is Ajax, the server is only replying if the
Header X-Requested-With is set to XMLHttpRequest.
If the Attacker send this request with a [VIDEO_ID] of a private video that he don't have access to, the server reply with an error message. However, this message contains the link to the
config file of the private video including a
token parameter s=[SECRET] which will grant the attacker access to the config file.
The config file contains all the info about the video including the actual video file links, video title, owner vimeo account, ... which means that the attacker has complete access to the video.
Example of config file with
token parameter s=[SECRET]
To resolve this issue, the
https://vimeo.com/[VIDEO_ID]?action=share server should not include the token parameter
s=[SECRET] of the config file in the error response of
https://vimeo.com/[VIDEO_ID]?action=shareif the user doesn't have right to access the video.
There is a good chance this vulnerability is present in other links, especially other Ajax links.
In addition, if that is possible, the
https://player.vimeo.com/video/[VIDEO_ID]/config config file server should also check that the user has valid right to access the video even if he has a correct
Here is the source code of
If you need more info or if the POC doesn't work feel free to contact me.
Enguerran Gillier ██████████████████ ██████████████████████