Поставил перед собой задачу — обойти аутентификацию Вконтакте. Когда ip адрес человека, который входит на аккаунт vk меняется, нужно ввести полный номер телефона. Если злоумышленник входил через телефон;пароль, то он сможет совершать действия на аккаунте. Но если он входил через email;пароль или через подмену cookies, то он не сможет совершать какие либо действия на аккаунте.
All information is provided for informational purposes only. I am not responsible for any possible harm caused by the materials of this article.
Bruteforcing will not work here, since we have only 3 attempts to enter a phone number. I tried to fulfill all possible get and post requests, but all the time there was a redirect to https://vk.com/login.php?act=security_check.
It would be possible to execute a post request from another account, for this we need csrf token (hash), but I could only find the token for the logout https://login.vk.com/?act=logout&hash=dbefb8b0bba973b95e&reason=tn&_origin=https://vk.com.
We are offered to change the phone number of the account https://vk.com/restore?act=change_phone, here we can see the number of unread messages (not a bug, but a feature and it would be good to remove it) and the settings of the menu items.
A little later, I by chance stumbled upon the functionality of link sharing https://vk.com/share.php?url=https://ok.ru, to my surprise, this link has opened:
I tried to post myself a link to the wall and received a success message.
Congratulations! The link will appear on your page.
At first I didn’t believe it, I thought that security_check blocked everything, but then went to the wall and saw that the link was successfully posted :)
You can share not only links on the wall, but also a regular post, for this you need to leave the parameter url blank https://vk.com/share.php?url=.
Also, if we are the owner or administrator of the group, we can post on the wall of the groupto bypass entering the phone number.
We cannot send a message to friends, because https://vk.com/login.php?act=security_check blocks the receipt of a list of friends. Request to send url to a friend has this form
POST /al_mail.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept-Encoding: gzip, deflate, br
Где to_ids — иды друзей, chas — csrf токен, значит, мы не можем просто подставить ид друга, токен нам мешает. С запроса шаринга ссылки на стену токен мы взять не можем, так там совсем другая переменная — hash=bb6e1ce8db5f1419e3.
Immediately after finding the vulnerability, I wrote a report on h1, triage team told me that this is a duplicate, they had already received such a report.
To find out the approximate date when the report was sent, I turn to the report search, I watch the report whose ID is closest to mine and see the date - https://hackerone.com/reports/170894. It turned out that this report was sent 4 months ago.
It is very sad that vk during this time could not fix the vulnerability. Some reports hang for years, I am sure that many bug hunters in bug bounty vk stumbled upon duplicates, since it is no secret that VK has many reports and a lot of work, and they have not many security engineers..
Proof - a vulnerability in the video files that was sent by Aleksei Pisarenko. Awaiting to fix already 2 years!
Ещё один репорт, который висит уже 1 год:
This article was created only to attract the attention of Vkontakte developers, I hope they will fix this vulnerability, increase the staff of security personnel and begin to quickly resolve the vulnerabilities.
Conclusions: The phishing goal is spam, it remains doable and VK authentication can be bypassed.
P.S: In the process of bypassing the authentication, I discovered a vulnerability that allows you to subscribe to any vk group without knowing the victim’s phone number, and another one with which you can completely bypass 2FA, but have not yet reported on this.
P.P.S: About vulnerability impact:
1. This vulnerability can be used in mass phishing attacks on users (the creation of VK fakes and spreading them through private messages and social engineering applied to friends of hacked accounts is gaining popularity), often phishers, when receiving logs, encounter log-in problems and further propagation of the url of the phishing site (receive only email; password), with this vulnerability they can receive much more logs due to the fact that they share their link to the wall and in the group of the victim.
2. To block or freeze the user’s page - you need to share a prohibited link on your wall and immediately block your account.