Vulnerability in VK Allowed Anyone to Post Videos in Communities

A vulnerability in the VK social network allowed anyone to publish videos in communities, bypassing administrator moderation. The issue was discovered by a reader of the online publication TJ, who wished to remain anonymous. According to him, he is an administrator of a VK community with over 135,000 subscribers. He unexpectedly found two short videos on the community wall that had been posted by someone without administrator rights.

It turned out that the pre-moderation process could be bypassed using the “Suggest News” feature. The reader reproduced the vulnerability in a test community. First, he uploaded a video to his personal page, and then published it in the community through the “Suggest News” function. No access to settings or editor rights were required. The vulnerability also worked during tests in other communities.

The administrator reported his discovery to the VK support team and received a promise that they would “look into it and come up with a solution.” According to VK’s press service, the vulnerability was fixed, and the user who discovered it will receive a monetary reward.

“As I understand it, the problem was that VK did not fully account for privacy settings when uploading videos (it was enough to simply close the tab with the new video without saving). After that, it was easy: select a community, suggest the video through the ‘Suggest News’ form, return to your video, and try to publish it with the ‘Publish on my page’ checkbox selected. The remaining question: why did the ‘Publish on my page’ function result in automatic publication in someone else’s community? At the same time, the video remained unpublished on my profile,” the user explained.