Connect with us

Business

Simple IDOR vulnerability in Reddit allowed mischief-makers to perform mod actions

Published

on

A vulnerability in Reddit allowed attackers to perform moderator actions or elevate regular users to mod status without the appropriate permissions.

The flaw could have allowed for all kinds of mischief, as Reddit mods are privileged to perform actions such as pin or remove posts, ban other users, and edit subreddit information.

As detailed in a recent HackerOne report, a bug hunter with the handle ‘high_ping_ninja’ found that Reddit failed to check if the user was a moderator of a particular subreddit when they attempted to access the mod logs via GraphQL.

“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained.

Same-day fix

The insecure direct object reference (IDOR) bug was reported on August 3 and fixed on the same day.

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes.

The researcher was awarded a $5,000 bug bounty for the find.

Source: https://portswigger.net/daily-swig/simple-idor-vulnerability-in-reddit-allowed-mischief-makers-to-perform-mod-actions

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO