Advisory: Tapuz - Flix Password ByPass Vendor URL: http://www.tapuz.co.il Author: Liad Mizrachi Status: Not Fixed ========================== Vulnerability Description ========================== Flix is 'Tapuz' video streaming service allowing users to upload their video and share it with others, in addition, user can choose to password protect the uploaded video. Upon loading a password protected video, the user is promote to enter the password, which is verified with Ajax request. The URL http://flix.tapuz.co.il/v/Ajax/CheckPasswordProtectedMedia.aspxreceive the video ID and password and return 0/1. By manipulating the response from the server, any user can access the movie without any knowledge on the real password. ========================== PoC ========================== 1. Load a password protected movie on Flix 2. Intercept the response from /v/Ajax/CheckPasswordProtectedMedia.aspx 3. Change the response body from '0' to '1' 4. Enjoy the video. PoC Demo [ https://vimeo.com/80252377 ] ========================== Solution ========================== Remvoe your content from Tapuz Flix Service and move it to a move secure service. ========================== Disclosure Timeline ========================== 27-Jun-2013 - vendor informed by mail 27-Jun-2013 - Call with CIO & R&D Department. 19-Aug-2013 - eMail to get an update - No reply. 12-Nov-2013 - eMail to get an update - No reply. 17-Nov-2013 - eMail to get an update - No reply. 25-Nov-2013 - Advisory Published (No Fix yet). ========================== References ========================== http://flix.tapuz.co.il http://www.alexa.com/siteinfo/tapuz.co.il https://vimeo.com/80252377 [PoC Demo]