Vimeo: XSS when using captions/subtitles on video player based on Flash (requires user interaction)

2015-09-11T16:55:43
ID H1:88508
Type hackerone
Reporter stefanofinding
Modified 2017-08-31T10:27:29

Description

Description

The video player based on Flash (not the HTML5 one), shows the captions/subtitles without escaping. This allows to upload a file with captions/subtitles with HTML code, because the content of the file is not escaped when it's stored. The way to force the use of the Flash player is using the widget Hubnut, because on Chrome for example the default player is the HTML5 one.

Proof of concept

  1. For easy reproduction of the proof of concept, create a new account or delete every video in your account or make every video private.
  2. Upload a video or use an existing video.
  3. Go to the Settings of the video.
  4. Click on the tab Advanced.
  5. Download the file English.vtt that I attached to the report.
  6. In the section "Add Captions & Subtitles", click on Choose file.
  7. Select the file you downloaded in step 5.
  8. When the file is uploaded, click on OFF in the column Status. The value should change to ON.
  9. Select English in the column Language.
  10. Select Captions in the column Type.
  11. Click on Save Changes.
  12. Using other account, go to https://player.vimeo.com/hubnut/user/[user_url] (like https://player.vimeo.com/hubnut/user/user36690798).
  13. Click on Play.
  14. Click on CC (at the right bottom of the player) and click on English, to activate the captions.
  15. alert(document.domain) is executed.

You can reproduce the issue using this link https://player.vimeo.com/hubnut/user/user36690798.