IDOR vulnerability in Reddit allowed attackers to perform mod actions

by | Aug 10, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 2 Minutes

An IDOR vulnerability in Reddit allowed attackers to perform moderator actions or elevate regular users to mod status without the appropriate permissions.

 

The flaw could have allowed for all kinds of mischief, as Reddit mods are privileged to perform actions such as pin or remove posts, ban other users, and edit subreddit information.

As detailed in a recent HackerOne report, a bug hunter with the handle ‘high_ping_ninja’ found that Reddit failed to check if the user was a moderator of a particular subreddit when they attempted to access the mod logs via GraphQL.

“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained.

 

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

As detailed in a recent HackerOne report, a bug hunter with the handle ‘high_ping_ninja’ found that Reddit failed to check if the user was a moderator of a particular subreddit when they attempted to access the mod logs via GraphQL.

“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained.

Same-day fix

 

The insecure direct object reference (IDOR) bug was reported on August 3 and fixed on the same day.

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes.

The researcher was awarded a $5,000 bug bounty for the find.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: portswigger.net

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This