VK Users’ Voice Messages Found Publicly Accessible

Voice messages from some users of the VKontakte social network were discovered to be publicly accessible. The incident was first noticed by visitors of the imageboard “Dvach.”

According to users, this vulnerability had existed for over a month. To listen to any recording, it was enough to go to the “Documents” section and search for “audiocomment.3gp.” The author of each recording could be identified by clicking on the file, as the page ID was visible in the link.

Search results showed more than two thousand recordings. Currently, these voice messages no longer appear in search results.

Possible Cause: Third-Party Applications

The vulnerability may be related to flaws in third-party applications. Most likely, the publicly accessible voice messages were those sent through unofficial apps like VK Coffee or Kate Mobile.

According to VK’s press service, only those voice messages uploaded “through unofficial services” were accessible. While the issue is being investigated, the document search feature has been temporarily disabled.