Simply, there is a plan to order a mobile application for one group of VKontakte, and it should connect to the Callback API, and give the order to the freelancer -

Is there any danger that a freelancer will do such a thing, what will be harmful?

And in general, using the VKontakte API, is it possible to harm public?

  • four
    And to make for testing a special unnecessary group is not an option? - D-side
  • Thank. I'll think about it. - pontekorvo

2 answers 2

The mobile application probably also implies some kind of server-side - in fact, the server will be connected to the Callback API and will receive notifications from the VC about events in the group. If the server is not under your control, but a freelancer, then you do not control who has access to the data. Possible leakage of events in the group.

In particular, competitors may be interested in your fresh audience - those who have just joined your group, which means a live account that shows interest in your subject matter. The “hijacking” of fresh entrants is a fairly common mechanic. Many means you can find those who have recently entered into any public. Next, they write drugs with an offer at a discount to buy the same, or to join another public, or sprinkle the original group and their business with negative.

Callback API is the fastest way to intercept a new member, because the event is transmitted to the server instantly as soon as a person enters the group. But since This API is available only to the owners of the group, it is usually difficult for competitors to reach it. In the case of an incomprehensible freelancer and his server, this task is facilitated (theoretically).

Probably, the application is not limited to reading the data. Other API methods will also be involved - sending messages to users, moderating comments. In this area, there may also be shoals - if, for example, all those who turned to the community with the message will get an answer with bad content)

Finally, the worst possible cant that the application will remove all subscribers will post illegal content, which will lead to permanent blocking of the community. Theoretically, this is also possible.

This is all theory. In my opinion, the most real threat, as Pavel Mayorov wrote, is a freelancer who got the money and disappeared, so without really doing anything.

  • "The worst possible cant is that the application will remove all subscribers, post illegal content, which will lead to permanent blocking of the community. Theoretically, this is also possible." ********************************* Yes, but do you need access to the API? Is it impossible via Callback API? - pontekorvo
  • via the Callback API methods this is not possible. Only Standalone application can delete users : “real” mobile or desktop, or their simulation in the browser, where for authorization they will be asked to manually copy the address bar and paste it into the form - do not do it! - Sergiks

There is no direct threat from the Callback API, since read access is only there. Data leakage is possible - but you already have a public.

If we talk about the Vkontakte API as a whole - then, of course, you can do harm in a hundred different ways, because through the API you can do almost all the same things that can be done through the web interface.

PS Do not forget about the main threat posed by freelancers - they can obstruct a non-working application.