Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
Labunsky2015-05-24 23:20:54
API
Labunsky, 2015-05-24 23:20:54

Who to write about VK vulnerability? And is it worth it?

Good evening.
The fact is that I recently began to study the VK API and found a bottleneck in the entire system, which, it seemed to me, could be exploited mercilessly to gain control over the account. Even wrote for the purpose of the experiment "minivirus". Everything works, moreover, in my humble opinion, it should not be so.
And now, in fact, the question is: to whom to write about the vulnerability? I read on Habré that the support does not take note very well, not to mention the fact that they make any incentive payments, but I did not find any official program for reporting holes (except for the API bug tracker, but it can be ignored). And does it make sense to prove that the vulnerability exists, and if so, how to do it? The fact is that in order to operate it, the "minivirus" needs a one-time (that is, it only works once for a couple of seconds and cuts itself out) access to a computer that has a browser with a VK session. Actually, can then the vulnerability be generally considered as a vulnerability on the VC side?
I will be grateful for answers and advice.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
V
Vladimir Martyanov, 2015-05-24
@Labunsky

"According to the rules of the Google project dedicated to finding vulnerabilities in popular software, information about the "holes" found is published 90 days after it is discovered and the developer is notified - it does not matter if he released an update or not." Someone does it...

Report
E
Espleth, 2015-05-24
@Espleth

Is this vulnerability only in VK, or in all sites? If only in VK, then, obviously, it is worth writing.
I think they will react adequately, only there seem to be 2 supports: one for the "commoners", the other for technical issues. You in the second.
I don't know about the reward. Judging by the description, not such a critical vulnerability - access to a computer is needed. Maybe a few thousand votes. (one vote - ~7 rubles for replenishment and ~3.5 rubles for withdrawal from VK)

Report
D
Damir Makhmutov, 2015-05-25
@doodoo

Is it a vulnerability at all? If you need access to a computer, a browser with a session, then most likely this is not a vulnerability.

Report
E
entermix, 2015-05-24
@entermix

habrahabr.ru/post/257951

Report
D
Dmitry K, 2015-06-01
@gospodinmir

habrahabr.ru/post/259137

Similar questions
W
wetsum2021-06-23 18:36:02
Need an event to join the conversation -? 1Reply
I
Ilkhomjon Matazimov2020-04-27 10:10:09
VK API does not return the last_seen field, how to squeal? 2Reply
M
m1rvi2021-06-27 01:25:25
Why is the sber acquiring gateway not responding? 2Reply
C
Cheizer2018-02-25 21:59:45
How to pause the current youtube video on click and start the next one? 1Reply
E
excalibur2011-09-01 14:55:45
REST-like API for a site with the ability to launch applications only from the admin panel 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question