Legal Clickjacking VKontakte

    Let's talk about the widget for authorization.

    We are told that:
    Using the authorization widget, you can simply provide users with the opportunity to log in to your site.

    Also, we are told that:
    As a result of authorization, the widget returns the following fields: uid, first_name, last_name, photo, photo_rec, hash .


    1. Create an application.
    2. Add a widget to our website.
    3. Using js, we force it to follow the cursor.
    4. Using css, make it transparent.
    5. The user clicks on the page.
    6. ?????????
    7. PROFIT!

    For the demo to work, you must be logged in to Vkontakte.


    I left translucency for a better understanding of the mechanics of the process. In real life, the value opacitywill be zero.

    I thought that it was not good to give out user data and I wrote to the support team. A Support Agent # 920
    answered me :

    This is not a vulnerability. And what's the big deal?

    Such an undocumented opportunity ...

    Only registered users can participate in the survey. Please come in.

    You think this

    • 10.3% Bug 337
    • 26.3% Feature 856
    • 63.3% Vulnerability 2061

    Also popular now: