One unobvious vulnerability of some VKontakte groups

    Suppose a certain organization has a task - to register an official group or VKontakte page. The question immediately arises - from which account to do this? What if users go to the employee’s page, see there nudity, dissection, and is that all? A personal page, after all, should not meet corporate standards. There is an idea - to register a new "working" account.

    Small catch

    New accounts on must be tied to the phone. Personal phones of employees, as a rule, are already used for their personal pages, and it’s not very correct to use “non-working” SIM cards for a work account. In this situation, a logical decision seems to go to the subway and buy a new SIM card to bind it to a working account.

    As a result, a SIM card is bought, an account is registered from which a community is created. After that, the development, filling and promotion of the organization’s representative office in the social network begins.

    It takes several years

    The group is growing, news is being written, users are actively liking, commenting and posting. There are even a whole staff of moderators and community administrators to support all the afflicted. But in all this idyll there is a vulnerable link - the account of the creator of the community.

    The “working” SIM card safely landed in a drawer for a couple of years, as unnecessary. Money on it was expropriated by the operator using automatically connected services. The number was disabled for inactivity.

    The working account in the social network all this time has been authorized in the working browser on the working computer. But then the need for it disappeared, as other employees took up administration.

    What is the vulnerability?

    Vulnerability lies in the sim card. Operators quite quickly bring back inactive phone numbers back to the market. And if this number gets to a curious lover of social networks, then there is a non-zero probability that he will want to restore the account to which this number was linked earlier. And the social network itself will help him with this with its reminders.

    Here you need to understand that the account of the creator of the group provides the ability to administer it. Group moderators can be demoted by administrators. Administrators can be deleted by other administrators, and all of them together can be controlled by the group creator.

    At one point, our wonderful corporate group can turn into a pumpkin advertising some kind of hat.

    What to do?

    Ordinary mortals who do not have access to Singer’s house have no way to change information about the creator of the groups. Therefore, you need to contact technical support on VKontakte.

    They propose not a simple quest to compose a strange kind of pieces of paper and sign them with big bosses.

    If you manage to collect all this, then the account will be successfully changed. Thus, the vulnerability will be fixed.


    I suggest everyone who could be in this situation to check the security of the creator's account. After all, no one wants to lose what is acquired by excessive labor =)


    the “Development” stream does not correspond to the subject of the note, but it is in it that the “Information Security” hub is located

    Also popular now: