⬆️ ⬇️

Administrators of groups in vk have always been in the public domain.

Earlier, I wrote one post on geektimes that there were no truly anonymous public accounts in VK until 10/29/14 . But as it turned out, I was wrong about the date. And he did not fully realize the essence of the existing problem of anonymity.



Most of the users of the social network "VKontakte" are familiar with the principle of the work of groups and public pages. There is one creator, moderators and subscribers. Depending on the settings, some of them have the opportunity to post their own publications in the community feed. It is logical that the server will store data about everyone who participated in posting a message. The longest chain consists of two elements: the user who wrote the message in the “offer news” block and the moderator, whose hand was confirmed. Based on this, it can be assumed that this data can be obtained through api.



Referring to the documentation it is easy to find out that most of the methods associated with public objects (wall posts, photos, documents, ...) in the response return the result of the query and two additional arrays (if you specify extend = true when prompted):



response: { items: [], profiles: [{ id: 1, first_name: 'Pavel', last_name: 'Durov', sex: 2, screen_name: 'durov', photo_50: 'http://cs629231.v...543/FfB--bOEVOY.jpg', photo_100: 'http://cs629231.v...542/fcMCbfjDsv0.jpg', online: 0 }], groups: [] } 


By the names of the arrays it is clear what they should contain and what they are for. When you request a message from the community wall, we get the message itself, the user who wrote it (+ moderator), and the object of the group itself. Everything is extremely simple and transparent. But in many communities there is the concept of anonymity. For example, groups in which people talk about their lifetimes and adversities, through the functionality of “offer news” marked “anonymous.” The moderator, before publishing the post, will uncheck the corresponding checkbox and the account of the true author will not be displayed anywhere. Or a publicist who wants to remain in the shadows and not reveal his identity, in the settings of his public page will remove all links and notes about the creator.

')

The first time I encountered the fact that the simplest query wall.get returns in the list of users the person from the first example. I wrote about this (link in the header). And so, after two years, I once again simply turned to the documentation of interest. This time I watched the newsfeed.getComments method without any malicious intent. This method returns posts where the current user left a comment or otherwise subscribed to notifications (section “My News -> Comments”). Having received the results I needed, I noticed that there are 5 accounts in the response of the server in the ill-fated profiles array. Why they are needed and where they come from should immediately find out. For tests, I took an anonymous group in my city, left a comment under the last post, and looked at the server's response, upon request to this method.



It turned out that each of these users was directly related to the post. The first was the one who published the news, that is, the person with rights not lower than the moderator, the second was the one who “offered the news”, if there was any, and the remaining three were the last to comment on the post. After checking on those groups in which all this data was “hidden” by privacy settings, everything was just confirmed. Everything was exactly the same: everything that was hidden by the privacy settings was available with three clicks.



The first thing I wanted to do was to report this misunderstanding to the resource bug tracker. Where I met the tape of errors currently being processed related to minor shortcomings of a'la "you have a cant with layout, two pixels extra". After ten minutes of searching, I was desperate to find the button "report a security hole the size of a Boeing hangar about an error." The guys from the forums offered to run the form via the web console, but this form did not send data referring to access denied. We didn’t want to contact usual technical support because of the last time, especially since during testing new.vk.com they answer 2-3 days there. Therefore, I decided to write to someone who, as I thought, it would be interesting, thereby drawing attention to the error. The choice fell on vc.ru, as the most accessible in terms of communication - they have all the buttons on the site in place. Especially since the old publication about a guy who received a monetary reward for being able to find out the group administrator through a link to the repost has surfaced.



While waiting for an answer from them, I investigated all possible variations of using the method. There were restrictions, nevertheless, it was that these users could only be recognized if the post was on the wall of the community, comments were allowed in the community. It was this restriction that prevented me from proving to someone from vc that I was not just inventing who moderates which group. They asked to say who the admin of their group, and their comments are disabled. I just began to overwhelm them with a list of moderators of famous news communities: Channel One, RBC, Izvestia and others. Along the way, I dropped the same links into my group without subscribers, so as not to lose along with the correspondence and brag to all my two friends. I did not take into account the fact that the links in the posts of the group tend to notify the people noted in them. And I wrote one of these moderators with a request to tell you how I did it. I darkened to the last, expecting that vc will somehow help with the closure of the hole. Two hours later, from vc, they told me that they had informed Vk, but they themselves would not do anything.



The bottom line: my account with all contacts, portfolio, music collection, notes and bookmarks has sunk into oblivion with the signature "locked forever." My groups have been deleted, the records have been lost, the hole has been completely closed, now nothing is displayed in the profiles . The only thing left for me from this case is the unwillingness to report this to anyone at all.

Source: https://habr.com/ru/post/282906/



All Articles