Security error for VK web applications. We correct other people's applications

The essence of the problem: you can change the property "site theme" for any application such as a Web site, even for one that does not belong to us.



How did it happen:


  • 1. Create an application with the same website address as the victim’s application;
  • 2. Open the application for editing, the tab "settings", there is a pop-up list of "site themes", change. Now the theme has also changed in the original application;
  • 3. We check. It is impossible to verify. I could not find where to look at this property and did not even find a method in the VK API API method list that would return information about the application, however if you are the owner of several applications or create applications according to the above rules even on different accounts , then you can make sure of this.


The code in the annotation to the article is exclusively annotative and there are no methods listed in the VK API.

Also popular now: