Private video info disclosure through API in Vimeo!


In this blog post, I'm gonna talk about a bug I found through API testing in the video sharing app Vimeo.

Private videos, as the name suggests, are supposed to be completely private. For an app to see a user's private videos, the access token needs to have the 'private' scope. You guessed it, scope-based testing.

So I create an access token with public scope, and request the endpoint `/me/videos/<private-video-id>`. And voila, all metadata was leaked.


Popular Posts