Access to Vkontakte private video

    It turned out that it became interesting for me to find out how safe it is to publish a private video on It turned out that now the level of protection is weak.

    Dig a little

    Before exploring other people's files, it's worth exploring the system more closely, so I uploaded the video on VKontakte, made it public, and fed it to on the video URL. The service is good, because it kindly provided me with a direct link to my file.

    Further, I made my public video extremely private (only for myself), and tried again to download the file directly with the session ended. Yeah, swinging. This means that the servers on the distribution of the video do not check for privacy (and they do it right, because it must be done elsewhere).

    Thumbnail is all

    The link to my public, and now private video looks like:

    in which the most interesting part is 08e8e26a100647241. This is clearly a hash and it is unlikely to be able to calculate it, which means that you need to find this hash on the site - in the source, in comments, anywhere. Viewing the source codes of the pages with the list of my video and watching the video didn’t work, but it’s clear that the thumbnail of the video is generated by the script:

    id of the clip and so on, we are not interested in. The main thing is that this script gave us a direct link to the picture:

    and yes, here it is our hash (08e8e26a100647241), which we observed in the link to the video. Of course, now you can associate any thumbnail with part of the full path to the flv file.

    The path to the file

    If the file name can be obtained from the name of the image, then now you need to complete the rest of the path - the name of the server and subdirectory. The subdirectories are all the same and the differences in the links are only in the hosts. In general, all links to videos can be described as

    http: // [0-9] + .gt (2 | 3) / assets / videos / [0-9a-z] {, 16} .vk.flv

    We are interested in the part before, because everything is clear with the hash. Assuming that at the video output 2000 servers (with a cool margin) scan all the hosts and for the ip address, where xxx is from 1 to 1000.

    It turned out that VKontakte has about 250 servers (unique ip) for issuing video (maybe they also host and audio, did not check). Having these 250 servers we make a simple search for downloading the file:

    http: // [ipaddress from the pool] / assets / videos / [hash from the picture] .vk.flv

    If the file is not physically found, the server will issue a default flv movie of 300 kilobytes with some kind of dumb music. That is, any file that is different in size from the default one is the video you are looking for, and the file is found in no more than ~ 250 requests.

    How to fix it

    make an access check in the script /get_thumbnail.php and if there are no rights, then show the default picture, they say here are personal affairs and there is nothing to see the preview. In addition to this, you should not show the video in lists at all if it is impossible to watch.

    Thanks kabachok
    an easier way to get the hash
    / get_thumbnail? vkid = 100647241 & vtag = 08e8e26a & size = 160 = 08e8e26a 100647241
    this means that the hash principle cannot be published.

    Also popular now: