Private video info disclosure through API in Vimeo!
Greetings,
In this blog post, I'm gonna talk about a bug I found through API testing in the video sharing app Vimeo.
Private videos, as the name suggests, are supposed to be completely private. For an app to see a user's private videos, the access token needs to have the 'private' scope. You guessed it, scope-based testing.
So I create an access token with public scope, and request the endpoint `/me/videos/<private-video-id>`. And voila, all metadata was leaked.
Regards,
t4kemyh4nd
In this blog post, I'm gonna talk about a bug I found through API testing in the video sharing app Vimeo.
Private videos, as the name suggests, are supposed to be completely private. For an app to see a user's private videos, the access token needs to have the 'private' scope. You guessed it, scope-based testing.
So I create an access token with public scope, and request the endpoint `/me/videos/<private-video-id>`. And voila, all metadata was leaked.
Regards,
t4kemyh4nd
