A full year after the Russian social media platform VKontakte failed to reward a security researcher for a vulnerability tip, or to even fix the particular security flaw, the hacker decided to play a prank on them.
White hat hackers are intelligent and ethical, they do know how to have fun, so the researcher gathered a team from the Baghosi community, created a worm to take advantage of the specific vulnerability that was reported a year ago, and started spamming.
The worm was carefully planted inside an article’s source code, waiting for a visitor to open the page after getting lured by the title. Once someone did, the worm would pull the VK groups and pages the visitor was administering and automatically post a link to the post there. This resulted in the worm post going viral in a couple of minutes, counting thousands of re-posts before anyone could realize what was going on. The fake article had quite a few comments underneath, which the worm pulled from user reviews of the VKontakte app on the AppStore and the Google Play Store. To avoid a complete debacle, the post remained up for only half an hour before the hackers deactivated the worm. Nevertheless, the prank was successful and the message was loudly heard.
The white hat hackers group were quick to take responsibility on the VKontakte platform, resulting in their brief ban that was lifted when the admins realized that it was all part of a joke. That said, no user data or any other information was compromised or stolen. VKontakte decided not to issue an official report on the issue, but the fact that the vulnerability report was ignored although they run a relevant security vulnerability reporting program remains concerning for a social media platform that is home to 100 million users.