How a new phone helped to find a Vkontakte vulnerability

Good afternoon, Habr!

I want to tell you a story, how once I found a VKontakte vulnerability that allows you to identify a user’s page on a given social network by phone number.

It all started with the purchase of a new phone. Having bought a new phone, I installed the VKontakte application for Android and entered the data to log into my account. After that, in the application it was possible to search for friends in my phone book, which I did. My surprise knew no bounds when I was offered to add found friends. There were several of them, but the essence of the search became clear to me and I wrote down several numbers unknown to me in the phone book and resumed the search. The application issued a few pages of users whom I did not even know.
')
Being a law-abiding user, I used the hackerone.com platform to report a vulnerability.
After filing a bug report after a month and a half I received an answer.

To say that I was surprised was to say nothing. After all, the fact is that the 2 users found at random with them obviously could not have recorded my phone number. As well as with some of my friends whom I found during the first search, the Vkontakte application was not installed on the phone. At the time when I answered the bug was already fixed. After this incident, the desire to help this social network was lost.

UPD: 05/24/2016 After the publication I received a response from the support service.

That is, the disclosure of personal information is not considered a vulnerability.