⬆️ ⬇️

Ways of de-anonymization of community leaders and Vkontakte applications

All the described methods were sent to Vkontakte via hackerone, but Vkontakte decided that these methods are not problems. The decision was made 6 months after changing the status of the report to Triaged. I tried to convince, but did not see the answer.



Many of the links shown will not work for you, since they are different for everyone.



Deanonimization of community leaders



Through videotapes



With limited access, only editors and administrators of the community can add new videos.


On the community video page there is a “Downloaded” tab, which displays only videos downloaded from a computer. If community videos are limited, the Downloaded tab shows the videos that executives downloaded. The problem is that direct links to videos contain the bootloader ID. By looking at identifiers you can de-anonymize managers.



An example on the created community: vk.com/club143400909

')

image



We pull a direct link or hls-stream to the video: vk.com/video-143400909_456239017

Direct link: cs632300.userapi.com/4/u237115941/videos/5115525024.240.mp4

Hls stream: cs632300.userapi.com/video/hls/4/u237115941/videos/5115525024/index-f1-v1-a1.m3u8

We see that the head - vk.com/id237115941


An example on the community: vk.com/meduzaproject (they allowed)

Video recording: vk.com/video-76982440_456239236

Direct link: cs632603.userapi.com/1/u1564856/videos/84c5da2b5a.240.mp4

Head: vk.com/id1564856


Video recording: vk.com/video-76982440_456239231

Direct link: cs632606.userapi.com/3/u464017/videos/7ec04da5ac.240.mp4

Head: vk.com/id464017

In total, 4 managers were found for all video recordings.


It is also possible to deanonymize the head of the cover from a video from another source (youtube, rutube, etc.). The link to the cover contains the identifier of the first uploader of this video on vk.com, i.e. this method can be deanonymized only if you know that the video was uploaded by the manager and he was the first. This could be the result of a contest or something else.



Video: vk.com/video-143400909_456239018

Link to the cover: pp.userapi.com/c836123/u237115941/video/l_5881cb5e.jpg

We see that the head vk.com/id237115941


Through audio recordings



The problem is the same. A direct link to the audio record contains the loader ID. Nowhere is it displayed, the audio recording is added from the search or downloaded from a computer, therefore, this method can be deanonymized only if the supervisor has downloaded the audio recording. Such audio recordings can be distinguished (recording of ether from the radio, etc.).



Audio recording in the community vk.com/club143400909 : Melodies - Karelo-Finnish polka

Direct link: psv4.userapi.com/c815220/u237115941/audios/eb9137fb510b.mp3

We see that the head vk.com/id237115941


An example on the community vk.com/meduzaproject

Audio recording: “Medusa” - How to find out how much Sobyanin's “wine glasses” cost?

Direct link: psv4.userapi.com/c613316/u1564856/audios/1cb08ff13792.mp3

Head: vk.com/id1564856


Through documents



Direct link to the document contains the loader ID. Knowing that the document uploaded by the supervisor can be deanonymized. Many people upload information about contests and group rules.



An example on the created community vk.com/club143400909

Document: 1.ts

Direct link: cs7064.userapi.com/c812339/u237115941/docs/c134bbccadba/1.ts


If the document is an image, then you can de-anonymize for a small copy.



Document: G.png

Link to a small copy: pp.userapi.com/c812235/u237115941/-3/m_56c1679b77.jpg

We see that the head vk.com/id237115941


At the end of the identifier



This method can be combined with other methods. A direct link to the downloaded image contains the end of the bootloader ID. You can get a list of all community members and select those who have the same end. If the community is small, then most likely the result will be 1 page, if it is large, then a few, but there will definitely be a leader. You can also de-anonymize the author of the post if the post has a downloaded image. If the community is large and as a result of the selection there are a lot of identifiers, then you can get a list of clicking “I like” entries and select them (all of a sudden the author clicked).



Direct link to the group picture: pp.userapi.com/c836123/v836123941/2362f/5TA-jc1s8Q0.jpg

End ID: 941

The head of the community vk.com/id237115941


Direct link to the cover of the community vk.com/meduzaproject :

cs7064.userapi.com/c639129/v639129017/92f9/itZoAG-k1GQ.jpg

End ID: 017

Head: vk.com/id464017


Deanonymization of the main application administrator



In the application settings, you can download the 16x16 application icon, which, after downloading, receives a link that contains the admin page identifier. The link to the icon always displays the identifier of the main administrator, even if the icon was loaded by a non-principal administrator, and another user is a manager with rights. Also, by opening the application administrator, you still open the application community manager, since the group in the application settings can be set up if you are the manager in it.



Reference: pp.userapi.com/cDigits/uAdministrator_ID/name.gif

Source: https://habr.com/ru/post/325840/



All Articles