Hackers unleash social media worm after bug report ignored – Naked Security

What happens when you report a vulnerability to a website and it completely ignores your request, in spite of running a bug bounty program that’s supposed to pay for disclosures?

Some hackers might just walk away, but a group of app developers in Russia chose another approach. They used the vulnerability to spam thousands of users on Russia’s largest social network.

The group, called Bagosi, develops apps that run on St Petersburg-based VKontakte (VK), a social network with over 500m users owned by Russian Internet company Mail.ru.

According to ZDNet, the group discovered a vulnerability in the social network and alerted developers there a year ago.

In a post on VKontakte, Bagosi explained that the social network ignored the bug report and didn’t pay the person that discovered it for their submission or acknowledge it in any way. This is in spite of the fact that VKontakte runs a bug bounty program with Hacker One. VK told Naked Security that the program has been running since 2015 and has paid out $250,000 in bounties. However, Hacker One also told us that the VK program is self-managed, meaning that the social network handles bug reports using its own internal teams rather than relying on Hacker One’s employees.

Bagosi decided to bring the vulnerability to users’ attention in a spectacular way. It wrote a VK post containing a script that would activate when viewed. The script posted a link to the post on any group or page that the victim managed.

Bagosi used some obfuscating tactics, according to explanatory posts that it made on VK. It accessed random reviews from the Google Play store and also randomised headlines to help dodge anti-spam filters, it said.

Clearly, VK can move quickly when it wants to. The app developers launched the attack on 14 February, and the social network shut it down quickly. A VK spokesperson told Naked Security:

Within the first minute of the vulnerability being discovered, we began deleting the undesirable posts, and within 20 minutes, the vulnerability was completely fixed.

Still, the page spread quickly before VK blocked the vulnerability. Bagosi explained in a VK post:

The page has accumulated more than 100k views. Since VK takes into account only unique views, it can be concluded that ~140k people have become “victims” of the worm.