Comments on: Vimeo highly vulnerable to CSRF attacks – now fixed http://www.barklund.org/blog/2010/02/12/vimeo-vulnerable-csrf/ work smarter when building current web trends Wed, 23 Nov 2011 11:48:49 +0000 hourly 1 http://wordpress.org/?v=3.0.4 By: Barklund http://www.barklund.org/blog/2010/02/12/vimeo-vulnerable-csrf/comment-page-1/#comment-103494 Barklund Fri, 12 Feb 2010 14:23:54 +0000 http://www.barklund.org/blog/?p=683#comment-103494 Well, it is not like anyone could use this to attack "random" accounts - only to attack visitors to a malicious website, that happened to have a Vimeo account as well. Vimeo keep the auto-login-cookie for 10 years as default, so if you have just logged in once and not logged out, switched browser or cleared cookies, you're still logged in most likely. And thus, your account could only have been "attacked" in the above-mentioned way (by appending something to your bio) if you had visited the above web page while Vimeo had the wrong policy in place. Well, it is not like anyone could use this to attack “random” accounts – only to attack visitors to a malicious website, that happened to have a Vimeo account as well.

Vimeo keep the auto-login-cookie for 10 years as default, so if you have just logged in once and not logged out, switched browser or cleared cookies, you’re still logged in most likely.

And thus, your account could only have been “attacked” in the above-mentioned way (by appending something to your bio) if you had visited the above web page while Vimeo had the wrong policy in place.

]]> By: felisan http://www.barklund.org/blog/2010/02/12/vimeo-vulnerable-csrf/comment-page-1/#comment-103450 felisan Fri, 12 Feb 2010 07:46:29 +0000 http://www.barklund.org/blog/?p=683#comment-103450 scary! just had to check information on my own account, to see if I had been attacked :O) scary!
just had to check information on my own account, to see if I had been attacked :O)

]]> By: Chris Shiflett http://www.barklund.org/blog/2010/02/12/vimeo-vulnerable-csrf/comment-page-1/#comment-103377 Chris Shiflett Fri, 12 Feb 2010 01:36:34 +0000 http://www.barklund.org/blog/?p=683#comment-103377 Nice find. I'm glad you contacted them, and I'm glad they fixed it. Nice find. I’m glad you contacted them, and I’m glad they fixed it.

]]>