VKontakte not only does not pay users for the found vulnerabilities, but also does not consider them

In my humble opinion, bugs from the category of banal SQL injections in GET parameters and execution of commands through the pipe go to the distant past. Various frameworks developed by dozens and hundreds of people, automated testing and best programming practices leave little chance that the beginning of the two thousandth was common. In my opinion, the current time is the time of racing conditions, logical bugs, misconfigurations and of course XSS. Which lead to various serious consequences.

Without denying the existence of simple critical vulnerabilities to this day, which is confirmed in practice, I would like to tell you about one interesting and at the same time simple logical bug in the social network VK.com.


Surely everyone who is somehow interested in it, has long known that VKontakte launched its reward program for vulnerabilities based on Hackerone. Solemnly announcing this in Habré, the social network apparently got what everyone knows, but for some reason they forget. I mean habraeffekt. Otherwise, I can not explain indecently long waiting for an answer on my report. To be more or less accurate, the waiting time at the current moment is more than six months. Being a patient person by nature, I didn’t particularly get the VK command, as many impatient writers do. I provide the timeline for clarity:
')
05/31/15 Report sent.
06/09/15 Assigned to Triaged status.
07.21.15 I ask how things are.
09/08/15 Interested in review time.
09/30/15 I am sending ping.
11.11.15 Once again I remind you of the consequences of bugs. Declare disclaimer of responsibility.
12/17/15 Another ping.
12/23/15 I notify about writing an article on habr.

As you can see, in addition to changing the status of the report with the message “Thank you. We investigate the problem and write to you. ” No action was taken by VKontakte. Undoubtedly, the privacy of photos, XSS and any other types of attacks on users, more important than bugs affecting the budget of the social network. So I waited patiently for my turn. But periodically watching the open activity in the VK.com program, I realized that they had scored on my report for some reason and I could not wait for an answer. Therefore, after waiting an adequate amount of time to respond to the incident, I decided to share with you my interesting find.

Description of the bug, it is worth starting with the fact that, according to my assumptions, it has existed since the appearance of targeted advertising on the CPC model in vkontakte.ru. It is unknown how much money VKontakte lost “thanks” to this misstep. So, having decided once to become a cool arbitrator, I spent quite a long time in the advertising section, which confronted me with this omission of VK programmers.

It turned out that with a combination of certain actions, there is a possibility not to pay per click on advertising. This means that you can merge unlimited budgets while paying 100 rubles, and those are needed only to enter the minimum thresholds of the system. Now, to the details, I bring the content of my report sent on May 31:

Hello. In CPC Targeting there is, in my opinion, a serious bug that allows you to run ads, with any cost per click, unlimited and almost free. For POC you will need:

- Create any advertising campaign with a CPC payment.
- Set a limit of 100 rubles for it, because less can not.
- Spend 100 p. In it, to achieve the minimum limit.
- Now you can set any cost per click from 0.5 to 100. For example, take 10 rubles.
- Set a limit of 110 p.
- Launch the campaign.
- Update the campaign page before changing the status from “Running” to “Running”.
- Reduce the limit to 100 p.

Further, in statistics, displays and coverage will be displayed, everything is as usual. After a click occurs, the campaign will stop and this click will not appear in the statistics. No money will be charged! Although the user will be successfully redirected to the advertised page. This can be observed in the server logs, where the user will be redirected.

As a result, unlimited targeting costs - 100 rubles per campaign. With all this, in a few lines of code, the process can be successfully automated and parallelized to multiple accounts.

I do not undertake to evaluate, since I have no idea about the architecture of the system, but it is very similar to a logical bug. On the seriousness of judging you :)

I hope the report was useful for you.

At the current time 12/28/15 6:15 PM Moscow time, the chip is fully functional and available for use. I will not publish screenshots and video explanations, because I did not save anything and I think that the responsible person will immediately understand what is being said. And to reproduce the sequence according to the description is not difficult.

Perhaps, I kind of exaggerated the significance of this error and it is not so important. But I still hope that the report will be useful for them. And it will be read by people responsible not for security issues, which have not given any interest, even the slightest, interest, but those who are in charge of the material affairs of the company.

For me, this article serves as an extra reason to remind people to beginners, whom I am, and to those who are planning to deal with bug fixes. It is not necessary to be able to find complex chains for executing code when deserializing objects. It is not always necessary to study tons of specs and manuals. Many interesting, and often critical bugs are on the surface, you just have to try to use the provided functionality a bit out of the standard.

Thank you for taking the time to read this little cry of the soul. All the best and delicious bugs!

PS Do not try to repeat the described actions. The use of this material for personal purposes may be prosecuted!

PPS The day after publication ( 12/29/15 ), the bug was closed with the status "Duplicate". No explanations followed.