Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
J
J
jelezo2016-04-10 13:43:54
PHP
jelezo, 2016-04-10 13:43:54

Social phishing (user identification). How does it work?

Interested in how the identification of users of social networks works. Such functionality is provided, for example, by socfishing.ru
I myself fell for this "bait" when I went to the legal site, did not log in anywhere, did not order anything, and after a couple of hours a message arrives in VK from their manager "Hello, you visited our site .. blah blah"
That is, the user enters the site-> the service determines his account in the social. networks.
How it works? Looked api Vkontakte - found nothing similar. In fact, it all comes down to how to find out the user id. Further information can already be pulled out through api.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

7 answer(s)
Report
A
Andrzej Wielski, 2016-04-10
@jelezo

A hidden "Like" VKontakte widget generated using the JS API is inserted into the site.
This widget is constantly under the cursor, when pressed, the JS API calls an Event with all user data. They are sent as a post request to the server.
To hide the fact of clickjacking from the user, the script also determines the object by the click coordinates and calls its click trigger.

Report
W
Wernalur, 2016-04-10
@Wernalur

As far as I know Clickjacking is used

Report
A
Alexander Taratin, 2016-04-10
@Taraflex

Here is the finished code https://github.com/romkagolovadvayha/romkagolovadv...
The only thing I would fix is
​​https://github.com/romkagolovadvayha/romkagolovadv...
it's better to generate a different LIKE_ID for each user and save it somewhere in localstorage

Report
D
D', 2016-04-10
@Denormalization

https://habrahabr.ru/post/234067/ there in the comments there was a description of how it works.

Report
K
khipster, 2016-04-10
@khipster

VK has an authorization button on the site, the button is made hidden and an on-click handler is assigned, then authorization occurs. In short: VC are complete deer, moreover, they do not even consider this a vulnerability.

Report
C
CityCat4, 2016-04-10
@CityCat4

For firefox there is such a wonderful thing - the privacy suite, which does a lot of things, including removing such buttons from pages

Report
T
T_y_l_e_r, 2016-10-06
@T_y_l_e_r

For all the time of working with social phishing services, I managed to understand the mechanism of work.
The basis of the whole system lies in clickjacking and button liking.
Api vkontakte allows you to find out the id of the one who clicked on the like.
The main difficulty is in determining whether a user is logged in or not, as well as in bypassing Yandex bans.
Luckily, the service that we currently use traffgui.ru allows you to avoid blocking from Yandex.

Similar questions
B
bio2015-03-31 04:08:43
How to make a soap xml parser? 2Reply
A
Anholle2019-09-09 11:37:42
How to set up a filter in the feedback form? 0Reply
P
Petr2016-06-23 10:33:40
Convert from HTML to PSD? 3Reply
O
Ob1van2016-06-24 15:03:47
How to correctly configure suricata ips in af_packet mode ubuntu 16.04 server behind a transparent TOR gateway. Is it possible? 1Reply
V
Vladimir Karpenko2017-04-19 19:41:47
What if there are two databases in an ASP.NET MVC5 project: one is database first, the other is code first? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question