Once again on privacy in Vkontakte

A short post for those who have never thought about what permissions should be provided to third-party services when authenticating with credentials, for example, Vkontakte.

What could be the catch?

Suppose you use Findface to search for a person by a photo, you log in and the application requests access to the following information from you:


')
Everything is fine you think you probably need access to your photos to find another person. Satisfied strange assumption.

So, having received the access token, the owner of the service has some time to download all your photos, especially from those albums that are marked like this:

"privacy_view": ["only_me"], "privacy_comment": ["only_me"] 

Those. not only these:

 "privacy_view": ["all"], "privacy_comment": ["all"] 

You can be convinced of this simply by completing 2 requests: this one , and then substituting the required album identifier this one - you successfully shared direct links to photos in closed albums.

Findings:

1. Undefined persons get access to your most personalized personal data, and Vkontakte accentuates this in any way.
2. #TheFappening is just around the corner if the owner of one of these applications does a similar
3. Before granting permissions to an application that you are not the author of, think three times
4. Periodically delete access granted to applications, especially to those that you have been granted access for an unlimited time, so that there will not be an incident in the future, even if you don’t store anything critical in the album now
5. I will leave an example with similar access as homework