What threats are likely from the transfer of acces tokena from a site connected to VKontakte to the open?

A

Alexey Solovyov2015-04-25 16:34:30

JavaScript

Alexey Solovyov, 2015-04-25 16:34:30

It's about the access token for the connected site. The token is owned by the "website" type application (i.e. site), not by the visitor.

The task is to make a request to the VKontakte api from the client side, using javascript.

If you use the VKontakte Open API and the VK.Api.call method , then if the visitor is not connected to this application, the request does not go through (we are talking about requests that require any rights).
If you use a cross-domain request to VKontakte, for example, through $.ajax, then you have to openly transfer the access token. But everything grows.

Something tells me that this is not quite the right move)))

On the other hand, no obvious threats from this were found either:

From other sites, it was not possible to make a request to api using this token, VKontakte gives an error.

Is there any other invisible threat from this ?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

K

KorsaR-ZN, 2015-04-25
@KorsaR-ZN

There is no threat here, the token belongs to a specific user, the one in which the JS is running in the browser.
All requests between your site and the VK platform go via https, which is why it was invented so that traffic is not listened to.
And if a person already has a worm or a similar infection on his PC, then nothing will save him. It's open :)

I

Ilya, 2015-04-25
@FireGM

Not very good for an application. Even though the token belongs to a person, he can use it for bad things. For example, to make requests with this token yourself. It turns out that requests go through your application, as a result, its statistics grow. Yes and

In addition to restrictions on the frequency of calls, there are also quantitative restrictions on calling methods of the same type. For obvious reasons, we do not provide information on the exact limits.

it is not clear how it works. Is it per application or per client?

Y

Yuri, 2015-12-20
@riky

I think you are confused, the token always belongs to some user, that is, you yourself created the token (most likely in your name in VK).
to find out who the token was created for, use the method users.getwithout parameters - it will return information on who it is infected with - most likely there is your name from which you are sitting in VK.
1) if you have your token sewn into the page - anyone who finds it will be able to make requests on your behalf, that is, restrictions - those rights that you requested when receiving this token. and there can be both reading messages and posting on the wall and deleting everything from you.
2) personal token when many requests with one token start from a large number of IP addresses, the token can be canceled and it will stop working for everyone. to be honest, I didn’t do it, but I think if there isn’t such a thing now, then they can add it.
3) since there is only one token, they are subject to general limits of 3 requests per second, how many thousands per hour, per day, etc. (talk about API limits). if 4 users log in at the same time or you have more than one request, then one of them will not receive results.
if there are many users per hour, then the token is blocked for a while. will write "request limit"