Unautherize access to vimeo private/public groups by adding Video (Broken authentication)

Hi Guys,

I am vijay kumar an individual security researcher and active bug bounty  hunter in various  platform.I am starting my blog today to update different security groups and  people in the world.
You can know more about me in my blogger profile or about me page.

Let's talk about the bug :

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Company : Vimeo

Description of the vulnerability :
In vimeo people can create private/public groups and upload the videos privately.There is a incremental numeric ID provided for the all groups.While adding video to the group HTTP POST parameter  contents groupID which is not validating at server side and leads to add your video to any group on vimeo.

VIdeo POC :

Hall of fame link : https://hackerone.com/vimeo/thanks(You will find it with the username https://hackerone.com/vijay_kumar1110)

Reward : 250$


Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)