Security error of VKontakte web applications. Rule other applications
The essence of the problem: you can change the property "theme of the site" for any application such as a Web site, even for the one that does not belong to us.
The code in the annotation to the article is exclusively annotation and there are no methods in the VKontakte API.
How did it happen:
- 1. Create an application with the same site address as the application of the victim;
- 2. Open the application for editing, the "Settings" tab, there is a pop-up list of the "theme of the site", change. Now the original application has also changed the subject;
- 3. Check. Check is not possible. I could not find where to look at this property and did not even find a method in the list of API API methods that would return information about the application, however if you own several applications or create applications according to the above rules even on different accounts , then you can make sure of it.
The code in the annotation to the article is exclusively annotation and there are no methods in the VKontakte API.
')
Source: https://habr.com/ru/post/204586/
All Articles