VK Delays Fixing 5-Year-Old Security Vulnerability

The social network VKontakte has postponed developing a fix for a serious vulnerability that has existed for about five years, as the company did not consider the issue significant enough to address. The vulnerability, found in the call import feature, allows access to any user’s phone number.

The issue was discovered by 18-year-old programmer Sergey Vakulin from Voronezh, who then notified VK’s administration. In an interview with Channel 5, Vakulin stated that the vulnerability still exists and could potentially be exploited by malicious actors. VK’s administration decided to delay creating a fix, as they did not see the problem as worthy of attention. According to Vakulin, the vulnerability has been present for approximately five years.

“It turns out my vulnerability is already five years old—an anniversary, you could say. For five years, all VK users have been exposed to this risk. The import feature was launched in 2013, and from 2013 to 2018, there was no privacy setting for ‘who can see my number during import.’ By default, this option was set to ‘all users.’ In my opinion, many underground companies have taken advantage of this vulnerability,” Vakulin noted.

Vakulin was not surprised by VK’s response. He said that many cybersecurity experts have faced unfair treatment from the social network’s management.

“They offered me a payment, with the minimum being $100, but after reading reviews online, I found that many of my fellow programmers never received their promised payments. VK would claim that the issue wasn’t a vulnerability at all. They would patch the hole but never pay, then ignore the programmers. In one case, a person waited eight months and still never received payment for their vulnerability report or their time,” Vakulin added.

Vakulin plans to continue researching similar vulnerabilities in other social networks in the future.