Vimeo: APIs for channels allow HTML entities that may cause XSS issue

ID H1:42702
Type hackerone
Reporter artem
Modified 2015-01-08T21:37:35



I found Vimeo's bug bounty program on [1]. Please find below details of a security issue I found.

First, APIs for channels [2] allow you to put HTML and javascript to name or description of a channel. For example, an attacker can use a Python script like the following to put javascript to an existing channel:

import httplib, urllib server = "" endpoint = "/channels/855545" params = urllib.urlencode({'name': 'my channel<script>alert(document.cookie)</script>', 'description': 'bug bounty', 'privacy': 'anybody'}) headers = {"Authorization": "Bearer [token]", "Content-Type": "application/x-www-form-urlencoded"} conn = httplib.HTTPSConnection(server) conn.request("PATCH", endpoint, params, headers) resp = conn.getresponse() print resp.status, resp.reason data = print data conn.close()

I created a channel that contains javascript in description:

Second, most of Vimeo's pages cut or encode HTML entities before they are printed out. For example, the page above doesn't execute the injected code. But I found at least two pages that don't encode HTML entities:<channel_id>/settings/videos

When you create an album you can add videos to this album ("Add videos to this Album" select box on the page above). The select box contains channels you subscribed to or moderate. The page doesn't encode HTML entities when it builds the select box, so the code I injected to name of my channel is successfully executed on this page.

Technically this is a stored XSS vulnerability that allows to inject a javascript code on Vimeo's page. But it might be hard to exploit because an attacker needs to do the following: - make a victim subscribe to a malicious channel, or modify an existing channel a vicim has subscribed to - make a victim to open page Both steps might be not so easy to do, but they are still possible.

I found some other APIs that allow to put HTML entities, but I have not checked all APIs. The problem may be fixed by making APIs encode or cut HTML entities, but it may probably cause some compatibility issues. Another way is to encode or cut HTML entities before channel name is printed out on the page above. This way, other Vimeo's pages need to be checked.

[1] [2]{channel_id}