VKontakte does not pay users for vulnerabilities found

In late May, VKontakte solemnly announced the launch of an open vulnerability reward program. This, like some other events, prompted me to write this article. The story began back in September 2014 when, when I was writing a service based on the social network API, I discovered a vulnerability that allowed me to recognize both the community administrator who made the post and the person who suggested this post.

image

1. Vulnerability Detection


The vulnerability was in the newsfeed.get API method . When executing the most ordinary request to it, an object, among others, returned an array of 4-5 users (profiles). Judging by the documentation, they should have been users from the news feed. However, I could not find these people in the feed, and often only my own account was found in the array.

image

I was interested in this and I began to test this method on a news feed with entries from my own group. Having spent the evening on tests, I found patterns: the administrators who made an entry in the group returned to the array, and the people who proposed this entry to the group, and not for one post, but for the last four, and they were given a jumble, in no particular order.

That is, having made a request to newsfeed.get to get the last post in the news feed, in the profiles array the administrator who wrote and the user who proposed both this entry and the previous three returned me.

This was already quite a serious vulnerability, but I wanted to associate specific posts with specific people.

The first thing I did was to put each analyzed community into a separate news list, so I could solve the problem when users of different communities were in the same array. My second step was to reduce the count parameter to one, so I got an array of profiles for each post in the group. After these steps, it became much easier to analyze the issue.

image

I wrote a script that first created a news list with a specific community. Then he collected for each post of this community its array with profiles. Here I ran into API limits, it only gave me posts in the last 12 days, but you could work with that too.

After collecting arrays for the maximum possible number of posts, the script began to analyze them. For starters, there were those user id that are found in exactly four arrays. Of the four posts associated with these arrays, I found the earliest. This post was proposed to the community by the user whose id we found. Then these users were filtered out of arrays and I compiled a list of administrators.

If you wish, you can see the vulnerability exploitation code on Github .

2. Report a vulnerability


As a conscious user, after that I went to report the vulnerability. Since I found the open bug tracker not the best place for this kind of vulnerability, I immediately contacted the developers directly. The first developer simply did not respond to my message, the second answered 4 days later, thanked and promised to think about how to fix it.



I knew about the lack of an official bug bounty program on VKontakte, but I also knew that there were frequent incentives for vulnerabilities in the internal currency (votes), but I decided to postpone these issues until the vulnerability was fixed. After that, I began to occasionally monitor the vulnerability. This continued until April 2015, when I read the next article on vulnerability and rewards, I again checked my vulnerability and it was not fixed.

I decided to contact technical support about the vulnerability where, after two weeks of waiting, they wrote to me that the code was handed over to the developers and they would notify me as soon as the news arrived.

image

May came, I again decided to check the vulnerability, and it was finally fixed. It took 8 months. Despite promises, no one contacted me, so I decided to write it myself and at the same time find out the criteria by which a social network pays remuneration. I was waiting for the next week of waiting for an answer from technical support, and the answer itself, in which I was offered to wait another.

image

I was contacted only on May 29, a few hours after the launch of the reward program for vulnerabilities, saying that since "the vulnerability has already been fixed, it does not fall under the new program and they have nothing to offer."

Summary


  1. Another vulnerability in VKontakte privacy
  2. It took 8 months and 3 of my appeals to correct
  3. Questions about rewards were ignored until the launch of the bug bounty program, after which I was refused any payment under its pretext
  4. Technical support preferred prolonged ignoring to any actions


UPD : It seems that after the launch of the incentive program, the situation has not changed much .

Also popular now: