Advisory: Tapuz - Flix Password ByPass
Vendor URL: http://www.tapuz.co.il
Author: Liad Mizrachi
Status: Not Fixed

==========================
Vulnerability Description
==========================


Flix is 'Tapuz' video streaming service allowing users to upload their
video and share it with others, in addition, user can choose to password
protect the uploaded video.

Upon loading a password protected video, the user is promote to enter the
password, which is verified with Ajax request.
The URL http://flix.tapuz.co.il/v/Ajax/CheckPasswordProtectedMedia.aspxreceive
the video ID and password and return 0/1.
By manipulating the response from the server, any user can access the movie
without any knowledge on the real password.



==========================
PoC
==========================


1. Load a password protected movie on Flix
2. Intercept the response from /v/Ajax/CheckPasswordProtectedMedia.aspx
3. Change the response body from '0' to '1'
4. Enjoy the video.

PoC Demo [ https://vimeo.com/80252377 ]

==========================
Solution
==========================


Remvoe your content from Tapuz Flix Service and move it to a move secure
service.


==========================
Disclosure Timeline
==========================


27-Jun-2013 - vendor informed by mail
27-Jun-2013 - Call with CIO & R&D Department.
19-Aug-2013 - eMail to get an update - No reply.
12-Nov-2013 - eMail to get an update - No reply.
17-Nov-2013 - eMail to get an update - No reply.
25-Nov-2013 - Advisory Published (No Fix yet).


==========================
References
==========================

http://flix.tapuz.co.il
http://www.alexa.com/siteinfo/tapuz.co.il
https://vimeo.com/80252377 [PoC Demo]