Vulnerability VKontakte: access to preview photos from dialogs and hidden albums of any user

Short

A vulnerability was discovered in the mobile version of vk.com. It allowed viewing previews of hidden photos, including photos from user dialogs, plus you could get information about users who liked this hidden photo. At the moment, the vulnerability is no longer there - it was fixed six months ago. VKontakte expressed gratitude in the amount of $ 700 (no, not in the votes).

How it all started

During the session, you are distracted by everything, just not to prepare for exams. So I, having seen an article about the Bug Bounty program from VKontakte on hackerone.com, instead of preparing for exams, undertook to look for vulnerabilities. For some reason, I was immediately drawn to look for vulnerabilities associated with photos with hidden privacy settings, and as it turned out - not in vain.

Search for vulnerabilities on the full version of the site

Assuming that the id of the hidden photo is known to me (see below about finding it), I started trying to substitute this id in all kinds of queries with curl - I tried to save hidden images in my album, mark myself on them, like, repost, etc. Nothing gave a positive result, until I tried just to send a hidden photo to my wall. The result was strange - in the console, the query returned the correct result and a new post appeared on the wall, but its contents were empty. As I did not try, on the server all attempts to send a hidden photo to the wall were stopped - the posts were empty.

Transition to the mobile version

Then, I remembered this comment and decided to try to do the same in the mobile version of the site.

Send a photo to the wall:

curl 'http://m.vk.com/wall53083705' -H 'Cookie: remixsid=#remixsid' --data 'act=post&hash=#hash&attach1_type=photo&attach1=idВладельцаФото_idСкрытогоФото'
# id фотографии состоит из двух частей разделенных знаком подчеркивания idВладельцаФото_idСкрытогоФото

This request was not executed correctly, but when I refresh the page, I was surprised to find that an attached small copy of the photo appeared on the submit form.



The maximum size of a photo is 130x130, but this is enough to, for example, recognize the faces in the photo. Attempts to get a link to the full photo came to nothing. Apparently, after the closure of this vulnerability, direct links to the full size simply cannot be obtained from the mobile version of the site.

Enumeration of photos

Vulnerability found. To exploit the vulnerability found, you need to get the id of the attacked photo.

The id of the photo consists of two parts: photo12345_330000000 (id of the Owner_idPhoto), the second part grows from photo to photo, but this is not an ordinary auto-increment. Since the algorithm for choosing the step is unknown, we will

iterate over with step 1. To use it, we will use the api photos.delete method . This method for all existing photos (including hidden ones) will return error_code : 15. And for all non-existing id photos, one will be returned.

Search Speed

From this article, you can learn how to quickly sort through photos. Yes, the data in it is not the latest, but even taking into account that the number of photos has doubled in a year, the search time is still acceptable.

to find direct links to user pictures, for example, over the past year, you need to sort out only 30 million (from _320000000 to _350000000) of various variations of links

Using the search accelerations from the specified article, the user's photos could be sorted out:

get all your photos yesterday in 1 minute, in 7 minutes - all photos uploaded last week, in 20 minutes - last month, in 2 hours - last year.

Screening open / hidden

Having received links to all (both hidden and open) photos of the user, you can select only hidden ones by trying to get information about the photo using the photos.getById method. Those photos whose information is not returned by this method are hidden.

Like user information

It was also possible to find out users who like the hidden photo. The likes.getList method returned all users who added the given object to their list. I like it, even if this object is hidden for the user launching this method.

Report on hackerone

My report was opened in June. They closed the vulnerability after two and a half months without telling me anything. A month later, I received an answer that the vulnerability was confirmed and closed. And after some time he received a reward.

PS: for those who are trying to withdraw remuneration from hackerone.com for the first time to a new paypal account - I advise you to carefully read the conditions. Paypal, when transferring funds, may, without your consent, convert the fee into the currency of the country indicated in your profile.