May 4, 2009 at 11:05 pmAccess to Vkontakte private video
It turned out that it became interesting for me to find out how safe it is to publish a private video on VKontakte.ru. It turned out that now the level of protection is weak.
Before exploring other people's files, it's worth exploring the system more closely, so I uploaded the video on VKontakte, made it public, and fed it to videosaver.ru on the video URL. The service is good, because it kindly provided me with a direct link to my file.
Further, I made my public video extremely private (only for myself), and tried again to download the file directly with the session ended. Yeah, swinging. This means that the servers on the distribution of the video do not check for privacy (and they do it right, because it must be done elsewhere).
The link to my public, and now private video looks like:
551.gt3.vkadre.ru/assets/videos/08e8e26a100647241.vk.flv
in which the most interesting part is 08e8e26a100647241. This is clearly a hash and it is unlikely to be able to calculate it, which means that you need to find this hash on the site - in the source, in comments, anywhere. Viewing the source codes of the pages with the list of my video and watching the video didn’t work, but it’s clear that the thumbnail of the video is generated by the script:
vkadre.ru/get_thumbnail?vkid=100647241&vtag=08e8e26a&size=160
id of the clip and so on, we are not interested in. The main thing is that this script gave us a direct link to the picture:
551.gt3.vkadre.ru/assets/thumbnails/08e8e26a100647241.160.vk.jpg
and yes, here it is our hash (08e8e26a100647241), which we observed in the link to the video. Of course, now you can associate any thumbnail with part of the full path to the flv file.
If the file name can be obtained from the name of the image, then now you need to complete the rest of the path - the name of the server and subdirectory. The subdirectories are all the same and the differences in the links are only in the hosts. In general, all links to videos can be described as
http: // [0-9] + .gt (2 | 3) .vkadre.ru / assets / videos / [0-9a-z] {, 16} .vk.flv
We are interested in the part before vkadre.ru, because everything is clear with the hash. Assuming that at the video output 2000 servers (with a cool margin) scan all the hosts xxx.gt2.vkadre.ru and xxx.gt3.vkadre.ru for the ip address, where xxx is from 1 to 1000.
It turned out that VKontakte has about 250 servers (unique ip) for issuing video (maybe they also host and audio, did not check). Having these 250 servers we make a simple search for downloading the file:
http: // [ipaddress from the pool] / assets / videos / [hash from the picture] .vk.flv
If the file is not physically found, the server will issue a default flv movie of 300 kilobytes with some kind of dumb music. That is, any file that is different in size from the default one is the video you are looking for, and the file is found in no more than ~ 250 requests.
make an access check in the script /get_thumbnail.php and if there are no rights, then show the default picture, they say here are personal affairs and there is nothing to see the preview. In addition to this, you should not show the video in lists at all if it is impossible to watch.
update
Thanks kabachok
an easier way to get the hash
/ get_thumbnail? vkid = 100647241 & vtag = 08e8e26a & size = 160 = 08e8e26a 100647241
this means that the hash principle cannot be published.
Dig a little
Before exploring other people's files, it's worth exploring the system more closely, so I uploaded the video on VKontakte, made it public, and fed it to videosaver.ru on the video URL. The service is good, because it kindly provided me with a direct link to my file.
Further, I made my public video extremely private (only for myself), and tried again to download the file directly with the session ended. Yeah, swinging. This means that the servers on the distribution of the video do not check for privacy (and they do it right, because it must be done elsewhere).
Thumbnail is all
The link to my public, and now private video looks like:
551.gt3.vkadre.ru/assets/videos/08e8e26a100647241.vk.flv
in which the most interesting part is 08e8e26a100647241. This is clearly a hash and it is unlikely to be able to calculate it, which means that you need to find this hash on the site - in the source, in comments, anywhere. Viewing the source codes of the pages with the list of my video and watching the video didn’t work, but it’s clear that the thumbnail of the video is generated by the script:
vkadre.ru/get_thumbnail?vkid=100647241&vtag=08e8e26a&size=160
id of the clip and so on, we are not interested in. The main thing is that this script gave us a direct link to the picture:
551.gt3.vkadre.ru/assets/thumbnails/08e8e26a100647241.160.vk.jpg
and yes, here it is our hash (08e8e26a100647241), which we observed in the link to the video. Of course, now you can associate any thumbnail with part of the full path to the flv file.
The path to the file
If the file name can be obtained from the name of the image, then now you need to complete the rest of the path - the name of the server and subdirectory. The subdirectories are all the same and the differences in the links are only in the hosts. In general, all links to videos can be described as
http: // [0-9] + .gt (2 | 3) .vkadre.ru / assets / videos / [0-9a-z] {, 16} .vk.flv
We are interested in the part before vkadre.ru, because everything is clear with the hash. Assuming that at the video output 2000 servers (with a cool margin) scan all the hosts xxx.gt2.vkadre.ru and xxx.gt3.vkadre.ru for the ip address, where xxx is from 1 to 1000.
It turned out that VKontakte has about 250 servers (unique ip) for issuing video (maybe they also host and audio, did not check). Having these 250 servers we make a simple search for downloading the file:
http: // [ipaddress from the pool] / assets / videos / [hash from the picture] .vk.flv
If the file is not physically found, the server will issue a default flv movie of 300 kilobytes with some kind of dumb music. That is, any file that is different in size from the default one is the video you are looking for, and the file is found in no more than ~ 250 requests.
How to fix it
make an access check in the script /get_thumbnail.php and if there are no rights, then show the default picture, they say here are personal affairs and there is nothing to see the preview. In addition to this, you should not show the video in lists at all if it is impossible to watch.
update
Thanks kabachok
an easier way to get the hash
/ get_thumbnail? vkid = 100647241 & vtag = 08e8e26a & size = 160 = 08e8e26a 100647241
this means that the hash principle cannot be published.