White hats flooded VKontakte social media network with a spam campaign as a part of a revenge prank

• White hat hackers have flooded VKontakte (VK) with a spam campaign as part of a revenge prank against the social network as the company failed to acknowledge the security researcher who reported a vulnerability a year ago.
• The white hat hackers carried out the spam campaign with a computer worm created by Baghosi.

White hat hackers have flooded VKontakte (VK) with a spam campaign as part of a revenge prank against the social network as the company failed to fix the vulnerability and financially reward the security researcher who reported the vulnerability a year ago. VKontakte (VK) is a Russian social media network based in Saint Petersburg.

Computer Worm

The white hat hackers carried out the spam campaign on Valentine's Day, February 14, 2019, with a computer worm created by Baghosi which is a community for Russian social media app developers.

Baghosi used a vulnerability in VK which was discovered by one of its researchers to make the worm powerful. The vulnerability was reported to VK a year ago, but the social network failed to fix the bug.

Baghosi’s VK post

The Baghosi team on Valentine’s day posted in VK social network about the worm.

• In the post, Baghosi noted that worm exists in a script hidden inside an article's source code.
• The article embedded with a malicious script was posted to all administered groups and users’ personal pages.
• When anyone reads the malicious article, the hidden worm was executed.
• While the worm did not steal users’ personal details, it pulled random reviews from the VK app's Apple App Store and Google Play Store pages.

Harmless prank?

Baghosi noted that the vulnerability was discovered a year ago, then the VKontakte team did not pay bug bounty, as a result, Baghosi decided to use it to take revenge against VK, but not harming users.

“Today in a few hours the code was written. To make the posts harder to demolish with antispam and the entries lasted at least half an hour, the title and comment were selected randomly. Well, the prank was a success,” Baghosi said.

“Unfortunately, the main group was banned, but we hope that the employees still have a sense of humor and it will be banned. Since the vulnerability belonged to a user who no longer searches for them, this was the last time.”

VKontakte team’s response

The VKontakte team said in a VK wall post that the situation is under control and communities were not breached.

“In some communities, unwanted publications have appeared: clicking on a link led to the distribution of new entries with it. The situation is under control. Communities were not hacked, their administrators' passwords are secure,” VKontakte posted.

The VK team initially banned the Github account where the script was hosted. Later, VK reversed the ban when it became clear that the spam campaign was just a prank and that no user data was stolen.