VK vulnerability: access to previews of photos from dialogues and hidden albums of any user

Short

A vulnerability was discovered in the mobile version of the site vk.com. It allowed viewing previews of hidden photos, including photos from user dialogues, plus it was possible to get information about users who liked this hidden photo. At the moment, the vulnerability is no longer - it was eliminated six months ago. VKontakte expressed gratitude in the amount of $ 700 (no, not in votes).

How it all began

During the session you are distracted by everything, just not to prepare for exams. So I, seeing an article about the Bug Bounty program from VKontakte on hackerone.com, instead of preparing for exams, took to look for vulnerabilities. For some reason, immediately pulled to look for vulnerabilities associated with photos hidden privacy settings, and as it turned out - not in vain.

Search for vulnerabilities in the full version of the site

Assuming that the id of the hidden photo is known to me (I’m looking for it below), I began to try to substitute this id in various requests with curl — I tried to save the hidden images in my album, mark myself on them, like, repost, etc. nothing gave a positive result until I tried to just send a hidden photo to myself on the wall. The result was strange - in the console the request returned the correct result and a new post appeared on the wall, but its contents were empty. As I did not try, the server stopped all attempts to send a hidden photo to the wall - the posts were empty.

Switch to mobile version

')
Then, I remembered this comment and decided to try to do the same in the mobile version of the site.

Send a photo to the wall:

curl 'http://m.vk.com/wall53083705' -H 'Cookie: remixsid=#remixsid' --data 'act=post&hash=#hash&attach1_type=photo&attach1=id_id' # id         id_id 

This request was executed incorrectly, but by refreshing the page, I was surprised to find that an attached small copy of the photo appeared on the submission form.



The maximum photo size is 130x130, but this is enough to, for example, recognize faces in a photo. Attempts to get a link to the full photo did not lead to anything. Apparently, after the closure of this vulnerability, from the mobile version of the site direct links to the full size just do not get.

Enumerate photos

Vulnerability found. To exploit the found vulnerability, you need to get the id of the attacked photo.

The photo id consists of two parts: photo12345_330000000 (idPlacer_idPhoto), the second part is growing from photo to photo, but this is not an ordinary autoincrement. Since the algorithm for selecting the step is unknown, we will go through with step 1.

To iterate, we use the api photos.delete method. This method for all existing photos (including hidden ones) will return error_code : 15. And for all non-existing id photos, one will be returned.

Brute force

From this article, you can learn how to quickly sort through photos. Yes, the data in it is not the newest, but even if we consider that in a year there were twice as many photos, the search time still remains acceptable.

in order to find out direct links to pictures of the user, for example, last year, you need to sort through only 30 million (from _320000000 to _350000000) of various link variations

Taking advantage of the acceleration of enumeration from this article, the user’s photos could be iterated:

1 minute to get all your yesterday's photos, 7 minutes - all photos uploaded last week, 20 minutes - last month, 2 hours - last year.

Dropout open / hidden

Having received links to all (both hidden and open) photos of the user, you can select only the hidden ones, having tried to get information about the photo using the photos.getById method. Those photos, information about which is not returned by this method - are hidden.

Likes

You could also find out the users who liked the hidden photo. The likes.getList method returns all users who added the specified object to my list, even if this object is hidden for the user who runs this method.

Report on hackerone

My report was opened in June. We closed the vulnerability in two and a half months without telling me anything. A month later I received a reply that the vulnerability was confirmed and closed. And after some time he received a reward.

PS: for those who, for the first time, are trying to bring rewards from hackerone.com to a new paypal account, I advise you to carefully read the terms and conditions. Paypal, when transferring funds, may, without your consent, convert the remuneration into the currency of the country specified in your profile.