VK API disclose method to read private messages

in hack •  2 years ago 

First of all, i would like to notice that VK Security Team rejected submitted ticket to HackerOne, arguing that this is not a concern (refused to pay via Bug Bounty Program).

Private urls were disclosed using Marketing Spy tool Similarweb.
Query pattern :

From examples, you can find exactly whom belong text (https://vk.com/id35782579 etc)
Real examples:

Messages contain a lot of private information such as passwords to 3rd websites, attached documents etc.


Unfortunately, i can't save examples to https://web.archive.org due to robots.txt block. Example urls will expire soon and i can post more to comments.
I believe, such api calls reserved for special purpose, when Police or other government services provide investigations.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

This is not a vulnerability, it's a small feature

  ·  2 years ago (edited)

More exposure of my news in russian media http://www.ntv.ru/novosti/1989037/

Congratulations @yoga2016! You have received a personal award!

2 Years on Steemit
Click on the badge to view your Board of Honor.

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @yoga2016! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 3 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!