Hole VKontakte, leakage of users' personal data
The news about a hole in the password recovery system of the social network VKontakte is rapidly spreading over the network, by entering the mobile phone number you can get the name and avatar of the person who registered under this number in the social network.
Using this "phone book" is elementary:
1. Go to the mobile version of the site m.vk.com
2. Click “Forgot your password?”
3. Enter the phone number
4. Get the name and avatar
')
Sometimes you need to enter a captcha.
Things are easy - while the hole is active, otparsit the largest base of telephone numbers in Russia and the CIS.
UPDATE As of January 16, 2014, the problem was partially solved - the above method does not give out the user name, only the avatar.
Which in some cases can be displayed on the user’s page if you use the search in the picture. If the avatar is very common - it doesn't matter either, in most cases the path to the picture contains the last 3 digits of the user ID (Example: cs123456.vk.me/v1234567 890 / ... where 890 is the last 3 digits of the user ID). At the moment, the method is completely useless for finding users without an avatar.
Plans to consider the mechanism of the mobile API.
Using this "phone book" is elementary:
1. Go to the mobile version of the site m.vk.com
2. Click “Forgot your password?”
3. Enter the phone number
4. Get the name and avatar
')
Sometimes you need to enter a captcha.
Things are easy - while the hole is active, otparsit the largest base of telephone numbers in Russia and the CIS.
UPDATE As of January 16, 2014, the problem was partially solved - the above method does not give out the user name, only the avatar.
Which in some cases can be displayed on the user’s page if you use the search in the picture. If the avatar is very common - it doesn't matter either, in most cases the path to the picture contains the last 3 digits of the user ID (Example: cs123456.vk.me/v1234567 890 / ... where 890 is the last 3 digits of the user ID). At the moment, the method is completely useless for finding users without an avatar.
Plans to consider the mechanism of the mobile API.
Source: https://habr.com/ru/post/209178/
All Articles