Group admins in vk have always been in the public domain

Earlier, I already wrote one post on geektimes that there were no truly anonymous publics in VK until 10.29.14 . But as it turned out, I was wrong about the date. And he did not fully realize the essence of the existing problem of anonymity.

Most users of the VKontakte social network are familiar with the principle of the work of groups and public pages. There is one creator, moderators and subscribers. Depending on the settings, some of them have the ability to post their own publications in the community feed. It is logical that the server will store data about everyone who participated in the posting of the message. The longest chain consists of two elements: the user who wrote the message in the "offer news" block and the moderator with whose hand a confirmation was delivered. Based on this, we can assume that this data can be obtained through api.

Turning to the documentation, it’s easy to find out that most of the methods associated with public objects (wall posts, photos, documents, ...) in the response return the result of the query and two additional arrays (if extend = is specified during the request ):

response: {
  items: [],
  profiles: [{
    id: 1,
    first_name: 'Pavel',
    last_name: 'Durov',
    sex: 2,
    screen_name: 'durov',
    photo_50: 'http://cs629231.v...543/FfB--bOEVOY.jpg',
    photo_100: 'http://cs629231.v...542/fcMCbfjDsv0.jpg',
    online: 0
  }],
  groups: []
}

The names of the arrays make it clear what they should contain and what they are for. When requesting a message from the community wall, we will receive the message itself, the user who wrote it (+ moderator), and the object of the group itself. Everything is extremely simple and transparent. But in many communities there is a concept of anonymity. For example, groups in which people talk about their life’s troubles and hardships, through the “offer news” functionality marked “anonymously”. The moderator, before publishing the post, will uncheck the corresponding checkbox and the account of the true author will not be displayed anywhere. Or a publicist who wants to stay in the shadow and not reveal his personality will remove all links and marks about the creator in the settings of his public page.

The first time I came across the fact that the very simplest request is wall.getreturns the person from the first example in the user list. I wrote about this (link in the header). And now, after two years, I once again just turned to the documentation out of interest. This time I watched the newsfeed.getComments method without any malicious intent. This method returns posts in which the current user has left a comment or otherwise subscribed to notifications (section "My News -> Comments"). Having received the results I needed, I noticed that there are 5 accounts in the server response in the unfortunate profiles array . Why they are needed and where they come from should immediately find out. For tests, I took an anonymous group of my city, left a comment under the last post and looked at the server’s response, upon request to this method.

It turned out that each of these users was directly related to the post. The first was the one who published the news, that is, the person with the rights not lower than the moderator, the second was the one who “offered the news”, if any, and the remaining three were the last to comment on the record. After checking on those groups in which all this data was “hidden” by the privacy settings, everything was only confirmed. That's exactly what it was: everything that was hidden by the privacy settings was accessed with three clicks.

The first thing I wanted to do was to report this misunderstanding to the resource’s bug tracker. Where I was met by a tape of errors currently being processed related to minor a'la flaws "you have a cant with layout, two pixels are extra". After ten minutes of searching, I despaired of finding the “report” button myselfabout a security hole the size of a Boeing hangar . ” The guys from the forums suggested launching the form through the web console, but this form did not send data referring to access denied. I didn’t want to contact the usual technical support because of the last time, especially since during testing new.vk.com they respond for 2-3 days. Therefore, I decided to write to someone to whom, as I thought, it would be interesting, thereby attracting attention to the error. The choice fell on vc.ru, as the most affordable in terms of communication - they have all the buttons on the site in place. Moreover, an old publication about a guy who received a monetary reward for being able to find out the group administrator through a link to the repost surfaced in his memory.

While I was waiting for an answer from them, I investigated all the possible variations of the method. There were still limitations, it was only possible to recognize these users if the entry was on the community wall, comments were allowed in the community. It was this limitation that prevented me from proving to someone from vc that I was not just making up who moderates which group. They asked to say who the admin of their group is, and their comments are disabled. I just began to flood them with a list of moderators of well-known news communities: Channel One, RBC, Izvestia and others. Along the way, he dropped the same links into his group without subscribers, so as not to lose along with the correspondence and to brag to all his two friends. I did not take into account the fact that links in group posts have the ability to notify people tagged in them. And one of the mentioned moderators wrote to me with a request to tell how I achieved this. I darkened to the last, expecting vc to somehow help with closing the hole. Two hours later from vc they told me that they reported to VK, and they themselves will not do anything.

Bottom line: my account with all contacts, portfolio, music collection, notes and bookmarks has sunk into oblivion with the signature "locked forever." My groups were deleted, records were rubbed, the hole was drastically closed, now nothing is displayed in profiles at all. The only thing left from this case is my unwillingness to report such a thing to anyone at all.

Also popular now: