How a new phone helped find Vkontakte vulnerability
Good afternoon, Habr!
I want to tell you a story how once I found a VKontakte vulnerability that allows me to determine the user's page on a given social network by phone number.
It all started with the purchase of a new phone. Having bought a new phone, I installed the VKontakte application for android and entered the login information in my account. Then in the application it was possible to search for friends in my phone book, which I did. My surprise knew no bounds when I was invited to add my friends. There were several of them, but the essence of the search became clear to me and I wrote down several unknown numbers in the phone book and resumed searching. The application produced several more pages of users which I did not even know.
As a law-abiding user, I used the hackerone.com platform to report a vulnerability.
After submitting the bug report, after a month and a half I received an answer.
To say that I was surprised was to say nothing. After all, the fact is that 2 randomly found users with them obviously my phone number could not be recorded. And also some of my friends whom I found during the first search did not have the Vkontakte application installed on the phone. At the time when they answered me the bug was already fixed. After this incident, the desire to somehow help this social network disappeared.
UPD: 05.24.2016 After the publication, I received a response from the support service.
That is, the disclosure of personal information is not considered a vulnerability.