Vimeo highly vulnerable to CSRF attacks – now fixed

I recently found, that vimeo.com had a cross-domain policy, that allowed anyone to connect, which was an open invitation for CSRF attacks. I alerted them to the issue, and it has now been fixed.

As has been said over and over, allow-all cross-domain policy files should never be used on domains, where users log on. This leaves the site open for CSRF attacks from flash clients on different domains, that can load pages from the target domain utilizing the user’s automated log-in and thus the flash load’s the pages, like the user himself would. This not only allows the flash file to (without the user knowing it) load all his private information from the target site, but potentially also post data to the site, which could include updating the user’s password, email, profile or in worse circumstances add/remove content or even make purchases, if the target site has any feature like that.

This has been done against large sites like Facebook, MySpace, Adobe and Youtube – the latter was ironically documented via a video on Vimeo by Jeremiah Grossman.

In Vimeo’s case, you can “only” upload videos, but an attacker could actually perform any action on the user’s behalf, that the user himself could – including changing the user’s bio, add/remove videos, comment on/like other videos etc. I made a small, seemingly innocent page, that included a hidden flash element, which first loaded the user’s info from vimeo.com/settings/personal and then re-posted this info back to the same page adding an extra line to the bio – namely “You have been bwned”, as it can seen on my vimeo profile.

Someone at vimeo has clearly seen this demo, (Julia Quinn has indeed) and now the cross-domain policy only allows *.vimeo.com (the new file is served with a Last-Modified timestamp of Thu, 11 Feb 2010 23:32:05 GMT, so the change is only an hour old). The strange thing is, that if you go back via the Wayback Machine from archive.org, you can see, that they had much better security back in 2007 and 2008 (html render fails, but view source), so I have no idea how such a relaxed policy suddenly appeared on their site. Google’s cache still show the allow-all policy as it dates back to January 20th (again, view source to see contents).

I found this while playing around attempting to load videos from Vimeo directly in a custom FLV-player on a different host than vimeo.com and found that this was actually possible, as all videos from their site are hosted from av.vimeo.com and this has an allow-all cross-domain policy. And this makes sense, as this domain is only used for serving videos and nothing else – no cookies or authentication info shared to this domain.

I haven’t heard from Vimeo yet – neither stating that they are looking at the issue nor that it has been fixed. I only post this after now seeing, that it has been fixed.

Related posts:

  1. I like Facebook

Category: API, Flash Platform, Security, Uncategorized 3 comments »

3 Responses to “Vimeo highly vulnerable to CSRF attacks – now fixed”

  1. Chris Shiflett

    Nice find. I’m glad you contacted them, and I’m glad they fixed it.

  2. felisan

    scary!
    just had to check information on my own account, to see if I had been attacked :O)

  3. Barklund

    Well, it is not like anyone could use this to attack “random” accounts – only to attack visitors to a malicious website, that happened to have a Vimeo account as well.

    Vimeo keep the auto-login-cookie for 10 years as default, so if you have just logged in once and not logged out, switched browser or cleared cookies, you’re still logged in most likely.

    And thus, your account could only have been “attacked” in the above-mentioned way (by appending something to your bio) if you had visited the above web page while Vimeo had the wrong policy in place.


Leave a Reply



Back to top

     

Get Adobe Flash playerPlugin by wpburn.com wordpress themes