Vkontakte, accelerated viewing of photos - the access hole was not completely closed
As many probably know, relatively recently, vkontakte.ru launched βAccelerated Photo Viewerβ, a fairly handy chip with ajax photo switching. This mode began to be especially popular when it turned out that the access rights of the current user to the viewed photos are not checked (i.e., instead of the message βPhoto is protected by privacy settings,β you received the desired content).
After some time, vkontakte.ru programmers have closed this hole. But ... today I accidentally stumbled upon this: if you go to the userβs photo page, turn on the accelerated mode, and on this page there is at least one photo available to you - once you hit it, you can click the back arrow (go to the previous photo ) - and voila! access check is disabled again. Clicking again "back" you can see all the pictures, only in reverse order.
After some time, vkontakte.ru programmers have closed this hole. But ... today I accidentally stumbled upon this: if you go to the userβs photo page, turn on the accelerated mode, and on this page there is at least one photo available to you - once you hit it, you can click the back arrow (go to the previous photo ) - and voila! access check is disabled again. Clicking again "back" you can see all the pictures, only in reverse order.
')
Source: https://habr.com/ru/post/52096/
All Articles