Vimeo Add or Delete the videos in watch later list of any user

From Hackipedia
Jump to: navigation, search
Hackerone #52982
Target: Vimeo
Target Module:
Type: Authentication
Payload:
Original: Link
CVE:
Archive

ckmk44 noticed the Vimeo allowed a watch later playlist to be created and could be viewed via a call to GET /users/<any_user_id>/watchlater/

There was functionality here that could be abused by malicious users Any video could be added to any users watch later playlist via: PUT /users/<any_user_id>/watchlater/<any_video_id>

And also removed DELETE /users/<any_user_id>/watchlater/<any_video_id>

Vimeo failed to check if the user id in the URL was the same as the user who was making the requests leading to this issue. How much money do you think a person would pay to have their advertisement placed on every users playlist?

How To Perform

  1. Keep an eye on network communication and look for API calls and functions that appear to be id driven
  2. Create two accounts
    1. Log into them side by side in different browers
    2. Confirm that the function is id driven
    3. Swap the ids to see if it is possible to alter the other account