Not a feature, but a bug
December 22, 2017 - VKontakte rolled out an interesting upgrade of its own iOS application. Here is a news agency quote regarding specific changes:
Technology AMP, the development of which was initiated by Google, is designed to accelerate the work of websites on all devices and platforms. This is a modern approach to optimizing HTML and CSS, allowing you to speed up loading on devices using the preconnect API and asynchronous execution of Javascript.
AMP tries to preload the contents of a supported page using the platform on which you see the link - a social network or instant messenger. When you simply scroll updates, AMP pages are loaded in the background, when you click on the link, the page opens on your mobile device almost instantly.
AMP has a page with a detailed description, a bunch of manuals and instructions, however, the developers of the VKontakte iOS application managed to build a howitzer from, in fact, a children's designer (the basic implementation of AMP) and charge it with warheads (an iOS application bug).
')
We do not know exactly what happened on VKontakte when introducing AMP into an iOS application. The Android version of the application does not have this problem.
As a company that primarily deals with denial of service attacks, we carefully monitor the traffic of our customers. Some of them (we will not name specific names in this publication, all persons associated with this incident were informed) informed us about traffic anomalies, which motivated Qrator Labs to look deeper into the logs.
What we found impressed us. One of the largest social networks, available in 80 languages, with more than 400 million accounts, actually implemented DDoS on some resources, mainly news agencies and those companies that aggressively export news to Vkontakte. Because of a banal error in a single implementation of AMP for iOS.
Fortunately, VKontakte uses either a new or rarely used user agent to preload pages:
Part of our anonymized statistics looks like this.
Large news agency with several servers :
Retailer :
Media company :
News Agency :
What happens on these servers?
When a page that supports AMP appears in the user's tape of an iOS application on VKontakte, in some cases the application makes up to 5,000 requests with this user agent, which in itself is a classic example of a DDoS attack. Since there are a lot of users in the world, and technologies like AMP and other “instant view” are quickly spread and implemented by a wide variety of resources (eBay), the number of such links will only grow.
The danger of this bug is estimated by us as average, since we are mainly talking about light and cached pages that do not require significant server resources to issue. But for the pages generated for each request, this situation can be painful.
More importantly, there is no normal way to stop publishing AMP-compatible links on the social network. VKontakte (the representative of which we contacted before publishing) will fix this bug, but no one forbids the attacker or just passing by to find this opportunity for a more interesting application. Before releasing VKontakte iOS applications, make sure that the pages you submit with AMP support are cached.
VKontakte is doing a great job providing its users with the latest technology. Special thanks to Sergey Paranko, the director of the VKontakte media ecosystem, who responded to our request, saying that this problem will be fixed.
The new version of VKontakte for iOS and Android now supports Accelerated Mobile Pages (AMP), a mobile standard that allows you to quickly load external articles. Now the pages of all sites that have configured AMP, open right inside the application.( official news )
Technology AMP, the development of which was initiated by Google, is designed to accelerate the work of websites on all devices and platforms. This is a modern approach to optimizing HTML and CSS, allowing you to speed up loading on devices using the preconnect API and asynchronous execution of Javascript.
AMP tries to preload the contents of a supported page using the platform on which you see the link - a social network or instant messenger. When you simply scroll updates, AMP pages are loaded in the background, when you click on the link, the page opens on your mobile device almost instantly.
AMP has a page with a detailed description, a bunch of manuals and instructions, however, the developers of the VKontakte iOS application managed to build a howitzer from, in fact, a children's designer (the basic implementation of AMP) and charge it with warheads (an iOS application bug).
')
We do not know exactly what happened on VKontakte when introducing AMP into an iOS application. The Android version of the application does not have this problem.
As a company that primarily deals with denial of service attacks, we carefully monitor the traffic of our customers. Some of them (we will not name specific names in this publication, all persons associated with this incident were informed) informed us about traffic anomalies, which motivated Qrator Labs to look deeper into the logs.
What we found impressed us. One of the largest social networks, available in 80 languages, with more than 400 million accounts, actually implemented DDoS on some resources, mainly news agencies and those companies that aggressively export news to Vkontakte. Because of a banal error in a single implementation of AMP for iOS.
Fortunately, VKontakte uses either a new or rarely used user agent to preload pages:
VK/74 CFNetwork/<cfn version> Darwin/<ios version> Part of our anonymized statistics looks like this.
Large news agency with several servers :
- up to 20% of the total response time was spent on these requests from 2% (of all unique) IP with this application
- up to 16% of all requests from the application
- 50-66% of all requests from 8-15% of all IP, 65-77% of the total response time
- up to 25% of all requests
- up to 18% of all requests
Retailer :
- 91-98% of all requests from 15-31% (of all unique) IP with this user agent, up to 33% of the time to process these requests
Media company :
- 13-46% of all requests from 1-5% IP
News Agency :
- up to 12% of all requests
What happens on these servers?
When a page that supports AMP appears in the user's tape of an iOS application on VKontakte, in some cases the application makes up to 5,000 requests with this user agent, which in itself is a classic example of a DDoS attack. Since there are a lot of users in the world, and technologies like AMP and other “instant view” are quickly spread and implemented by a wide variety of resources (eBay), the number of such links will only grow.
The danger of this bug is estimated by us as average, since we are mainly talking about light and cached pages that do not require significant server resources to issue. But for the pages generated for each request, this situation can be painful.
More importantly, there is no normal way to stop publishing AMP-compatible links on the social network. VKontakte (the representative of which we contacted before publishing) will fix this bug, but no one forbids the attacker or just passing by to find this opportunity for a more interesting application. Before releasing VKontakte iOS applications, make sure that the pages you submit with AMP support are cached.
VKontakte is doing a great job providing its users with the latest technology. Special thanks to Sergey Paranko, the director of the VKontakte media ecosystem, who responded to our request, saying that this problem will be fixed.
Source: https://habr.com/ru/post/347322/
All Articles