Last week I discovered a cross-site scripting vulnerability on the famous video platform vimeo.com. It is based in the search-module, which uses some kind of CSRF-protection (which doesn’t work pretty well, by the way). The problem is that search-links are only valid once and when you try to request the page a second time, an error will be raised. So, what’s the problem? Vimeo outputs the search term unfiltered – I guess you know how that story goes…

The sad thing about this bug is that I reported it seven days ago to the vimeo-team but didn’t get any response yet (except for an email-address via their team’s twitter-account). I’ve also recorded a screencast demonstrating the problem. Maybe some publicity will get the team to fix the bug.

Vimeo XSS vulnerability from Lukas Klein on Vimeo.

Note: The “feature” doesn’t handle old URLs like I said in the video, it’s basically something like a CSRF-protection (whyever), so that the link only works one time.