Vimeo: Vimeo + & Vimeo PRO Unautorised Tax bypass

2015-02-28T05:41:33
ID H1:49561
Type hackerone
Reporter march
Modified 2015-04-18T08:35:39

Description

Hello !

I've found a Vuln' which allows to override the taxification applied when buying Vimeo + or Vimeo PRO (tested by selecting France as country)

Comparing data sent when attempting to purchase on demand movie, I noticed a field named "vin_Transaction_transactionItems_0_taxClassification" with the value "TaxExempt". No tax is present in the final purchase summary on paypal. (view Proof1 and Proof2 screencapture)

When attempting to purchase a Vimeo + account or Vimeo PRO, the same field exists, but the value are set to "OtherTaxable." In the end, we note in the purchase summary on paypal, in addition to the price account (49 € or 159 €), tax is added (in the amount of € 9.99 for vimeo+ account and € 31.80 for vimeo PRO account) (view proof3 screencapture)

Finally, in a statement attempted purchase Vimeo+ or Vimeo PRO, if you set the field "vin_Transaction_transactionItems_0_taxClassification" to "TaxExempt" although we reach paypal and we see in the summary that taxes are not been added to the price. (view Proof4 and proof5 for VimeoPRO, view Proof6 and Proof7 for Vimeo+)

PoC Video : https://vimeo.com/user37862177/vimeo-tax-bypass-vulnerability