How I upgraded my privileges to the administrator of Odnoklassniki’s url shortener

Hi, today I will tell you how I hacked one service and successfully managed to get administrator rights.

(This issue has been reported to company’s bug bounty program at and is now fixed)

There is a service for shortening links “”
I searched for something there for a long time but my attempts were unsuccessful, since the average user has practically no functionality there

And suddenly it occurred to me to look at the scripts/styles associated with the site

I found an interesting js script:

I saw the Jquery library there, and thought that there would be very little interesting or nothing at all… 😓

Nevertheless, I decided to look, and it was not in vain, I saw all the API methods, and the functions of this service 😻

Image for post
Image for post

It was there that I saw the functions of the administrator…

Image for post
Image for post
Adm Func

I decided to make a request and try to perform one of the functions (I was sure that this would not work because everyone makes very cruel checks)


I did not show you the request itself, but it was successfully completed! and I saw this answer! 😂🤗

I immediately ran to write my report to this program


changed the status to Triaged. (Apr 24th)

Fix (Apr 25th)

Bounty( Apr 26th) $500

The guys made a correction very quickly, the vulnerability was aggravated by the fact that absolutely any user could see
this and take advantage for their own purposes.


Happy hunting :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store