VKontakte V Day hack

0 Comment

White hat hackers have flooded VKontakte (VK) with spam on Valentine’s Day as part of a revenge prank against the Russian social network after the company failed to both fixes and financially reward a security researcher for a vulnerability he reported to the site a year before.
At the heart of the spam campaign was a worm created by Baghosi, a community for Russia-based social media app developers. To power their worm, Baghosi devs used a vulnerability impacting VK that was discovered by one of its members and reported to the social network a year before. Baghosi said VK failed to acknowledge the bug report, and also failed to fix the issue, let alone pay the security researcher for his bug hunting efforts. The actual worm resided in a script hidden inside an article’s source code. When anyone accessed the malicious page to read the article, the hidden worm would post a link to the article on the VK groups and pages the reader was managing.

Read more here (Russian)