Let's talk about the widget for authorization.
We are told that:
With the help of the authorization widget, you can as simple as possible give users the opportunity to log in to your resource.
Also,
we are told that:
As a result of authorization, the widget returns the following fields: uid, first_name, last_name, photo, photo_rec, hash .
Recipe:
1. Create an application.
2. Add a widget to our site.
3. Use js to make it follow the cursor.
4. With the help of css make it transparent.
5. The user makes a click on the page.
6. ????????
7. PROFIT!
')
To run the demo, you must be logged in to Vkontakte.
DemoI left translucency for a better understanding of the mechanics of the process. In real life, the
opacity
value will be zero.
I thought that it was not good to distribute user data and I wrote to the support service.
Someone
Agent Support # 920 answered me:
This is not a vulnerability. What's wrong with that?
Such an undocumented opportunity ...