O
O
o_O_Tync2010-12-14 16:19:53
Social media
o_O_Tync, 2010-12-14 16:19:53

How the site can find out the user id in the social. networks?

Today, the girl said that she climbed one “specific online store”, and two hours later a person wrote to her on Vkontakte - the store manager - offered her advice on the goods she had viewed.

It is easy to find out what products she looked at by logs. But how were the logs associated with her VKontakte id?

Is it a bug or a feature? :)

UPD: She went to the site from Yandex, there were no Vkontakte OpenAPI authorization windows like “You are going to allow this site access to your data”.
So far, I'm inclined to think that this is either a VKontakte bug, or some trojan / toolbar installed in the browser, or there was a loophole through flash. However, all this is hard to believe :)

Answer the question

In order to leave comments, you need to log in

13 answer(s)
I
Ice_venom, 2010-12-14
@o_O_Tync

Well, I smoked the API a little - everything is realizable. We connect the site VKontakte. Next, use the following code on the connected site:

<html>
<head>
    <script src="vkontakte.ru/js/api/openapi.js" type="text/javascript"></script>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<script language="javascript">
window.onload = (function() {
    VK.init({
          apiId: 2046606 //id подключенного сайта
        });
    function authInfo(response) 
    {
      if (response.session)
      {
        document.getElementById('t').innerHTML = "Your ID: " + response.session.mid;
      } 
      else 
      {
        document.getElementById('t').innerHTML = 'Вы не авторизованы вконтакте.';
      }
    }
    VK.Auth.getLoginStatus(authInfo);
});
</script>
<div id='t'></div>
</body>
</html>

Example:
svedm.com/test.html

D
djerom, 2015-07-05
@djerom

Updated, maybe it will help someone

<html>
<head>
  <script src="//vk.com/js/api/openapi.js" type="text/javascript"></script>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<script>
window.onload = (function() {
    VK.init({
          apiId: 4983778 //ВАШ_IP_ID
        });
    function authInfo(response) 
    {
      if (response.session)
      {
        document.getElementById('id').innerHTML = "Your ID: " + response.session.mid;
      } 
      else 
      {
        document.getElementById('id').innerHTML = 'Вы не авторизованы вконтакте.';
      }
    }
    VK.Auth.getLoginStatus(authInfo);
});
</script>
<div id='id'></div>

</body>
</html>

J
JeanLouis, 2010-12-14
@JeanLouis

The vKontakte API for websites has been around for a long time. The contact itself is loaded via an iframe, so all cookies are available, identify the user, and can pass this information to the site using the API.

I
Ice_venom, 2010-12-14
@Ice_venom

Then, as an option, loading feed2.php and parsing json.

K
Kalantyr, 2010-12-14
@Kalantyr

Do you know how she got to this online store? If through the search for goods on VKontakte, then everything is explained simply :)

R
Robotex, 2010-12-14
@Robotex

We go to connect.ua/ and press the button Login Vkontakte. No confirmation comes out.

V
Vitaly Sukharev, 2016-06-01
@SuharevVitaly

Who is tracking the issue, but not yet in the know. Yandex is actively fighting this: https://yandex.ru/blog/webmaster/21745

I
Ice_venom, 2010-12-14
@Ice_venom

I don’t know how it is now, but earlier it was possible to do this by inserting a 1x1px iframe into the site, which loaded a direct link to vote for the user’s proposal.

R
Robotex, 2010-12-14
@Robotex

If she went to the site of the store from VKontakte, then the address of her page was saved in the referrer of the site.

P
Paketik, 2010-12-14
@Paketik

"You are not authorized in VKontakte."
fail

A
Alexander, 2010-12-15
@Awake

it is quite possible to put a button with consent under some frequently-pressed button on the site. Well, then everything is clear as it were.

V
vis0r, 2014-08-25
@vis0r

clickjacking might be fine. As for example here in the example, only the authorization widget is completely invisible. jsfiddle.net/Ej25j

R
Rostislav, 2017-07-20
@rosnord

The hole in vk was allegedly closed, but the services still exist

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question