Vimeo clip data leak (my first bug bounty)

Some time ago my workmate sent me a link to the video of my conference speech. Speech was about to be repeated shortly thereafter, so she decided to use the password protect feature available in Vimeo service.

A few weeks later I pasted the same link to Facebook chat and immediately clip thumbnail and description appeared. I thought that video was released, but it did not. Clicking link led to bare “This video is private, enter password” page. Apparently Facebook was accessing some more content than a regular user.

Private video link pasted into Facebook chat window immediately revealed thumbnail, title and description

At first I tried to replicate the exact HTTP request of Facebook crawlers, with no luck. My guess was the Facebook bot IP range was whitelisted. Then I tried to use the OpenGraph debugger and — voila, page content acquired by Fb had the extra OG tags with all the content, description, thumbnail and more.

OpenGraph debug tool applied to Vimeo private video link

I dig into this a bit more and it turned out the private videos are leaking data as well, as long as the option “enable people to embed the video on any site” is activated. The “who can watch this video” choice was set to “Only me — make this video visible to me and no one else”. As a user I would feel convinced that such settings guarantee full privacy since “Share” option is disabled for private videos, and embedding such clip results in a black player window labelled “Private video”.

“Where can this video be embedded = anywhere” setting allowed leak despite “Who can watch = only me” selection

Bug was reported to Vimeo and partially fixed — private, embeddable video no longer leaks data through OpenGraph and Facebook. Password-protected ones still do.

Vimeo awarded $100 bounty for this report, thanks!

Tomasz Zieliński

 — — — —
10 Mar 2016 — issue reported to Vimeo
07 Apr 2016 — reminder sent to Vimeo
18 May 2016 — issue closed by Vimeo with explanation missing the real problem
18 May 2016 — data leak explained again
20 May 2016 — (partial) fix released and $100 bug bounty awarded
13 Jun 2016 — this note is published


Zapisz się na newsletter aby otrzymać powiadomienia o nowych postach