Posted on February 21, 2019 at 4:50 PM
A group of hackers found and reported a bug in Russia’s most important social media network VKontakte. They received no feedback from VKontakte security teams for a whole year. To point the public attention to the threat, hackers did exactly what they do best – they exploited the bug.
Vkontakte and their user security management
Also known as “the Russian Facebook”, VKontakte was found in 2006 in Sankt Petersburg. It became the biggest social media network in Russia with more than 500 million accounts. The owner of the network is Mail.ru, the biggest Internet provider in Russia.
Besides their own web security teams, VKontakte also works with companies such as Hacker One to protect the user information. Hacker One is dedicated to solving vulnerabilities by making bounty programs for finding bugs in the website code. In four years, the program has already given 250 000 dollars as a bounty for reported bugs, improving VKontakte’s network security by collaborating with hackers.
When a group of Russian developers called Bagosi found another bug in the code, they submitted it to Vkontakte. They expected VKontakte to fix the bug and award them from the bug bounty program. As they later explained in their VKontakte post, no one from VKontakte or HackerOne reached out to them in a whole year. They felt ignored, so they decided to attack the vulnerability. The purpose of the attack was to draw public attention to that matter and hence, to improve user security on VKontakte.
To effectively demonstrate the potential danger, Bagosi made a harmless virus in a Vkontakte post. When the post is viewed, the virus spreads around the network by making a link to infected VK post on every group or page infected user manages. Bagosi released the virus on the 14th of February, avoiding Vkontakte’s anti-spam checks in various ways – for example, by randomizing headlines or using random information from Google Play Store reviews. Bagosi’s worm managed to reach 140 000 VKontakte users in only 20 minutes! VKontakte security teams reacted fast and deleted the infected posts, also banning Bagosi’s VKontakte user account.
Can hackers’ actions be justified?
In their defense, HackerOne stated that VKontakte manages bug reports themselves inside their own security teams. With an organized and fast reaction, VKontakte teams stopped the virus infection in 20 minutes. Vkontakte also unblocked Bagosi’s account when realized that the attack wasn’t meant to steal personal information or to harm users in any way. It was only launched to demonstrate security issues. However, according to developer Dan Kaminsky, Bagosi should have proven their point in a more friendly way.
Kaminsky earned himself the title of the “king of responsible disclosure” in the IT world when he managed to control an important DNS bug for a few months until he made a solution. As he stated about this case, he wasn’t too keen on Bagosi’s way of solving problems. He said that spamming users shouldn’t be a way to solve issues between developers and companies because user security is their common goal. Kaminsky concluded that although the attack was not meant to be harmful, it did cross the line by manipulating the users and the social network whose security it was trying to improve. Therefore, for the sake of users, there needs to be a more friendly way to solve this kind of arguments in the future.