http://developer.vimeo.com had a flaw in one of their inputs.
Here is how it works:
They have an input where you can add a url and it will fetch an image from anywhere and display it as a logo for your app:
Apart from the XSS, they weren't filtering to accept only image links.
The poc XSS:
The input break: