Adding profile picture to anyone on Vimeo

Hi! **Brief** The profile picture upload feature at https://vimeo.com/settings/profile contains a bug where an access control is missing for uploading a profile picture to a profile ID. This leads to the possibility of uploading a profile picture to any account on Vimeo. Furthermore, since the upload doesn't have any rate limiting, it would in theory be possible to add a picture to every Vimeo account that exists (since the profile IDs are incremental). **PoC** 1. Set up an intercepting proxy so that you can edit requests/responses to Vimeo 2. Visit https://vimeo.com/settings/profile 3. Click the "Upload" button 4. Choose any image 5. If you did everything correct, your browser should now send a request to /upload/_get_image_url with 2 post parameters. One of them is called "id". Change this id to another profile id then forward the request. 6. Your uploaded picture is now added to the other profile! **Remediation** The profile picture upload function should only work for the currently logged in users profile ID. Mathias