Cyber Security

Simple IDOR vulnerability in Reddit allowed mischief-makers to perform mod actions

A vulnerability in Reddit allowed attackers to perform moderator actions or elevate regular users to mod status without the appropriate permissions.

The flaw could have allowed for all kinds of mischief, as Reddit mods are privileged to perform actions such as pin or remove posts, ban other users, and edit subreddit information.

As detailed in a recent HackerOne report, a bug hunter with the handle ‘high_ping_ninja’ found that Reddit failed to check if the user was a moderator of a particular subreddit when they attempted to access the mod logs via GraphQL.

“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained.

Same-day fix

The insecure direct object reference (IDOR) bug was reported on August 3 and fixed on the same day.

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes.

The researcher was awarded a $5,000 bug bounty for the find.

Source: https://portswigger.net/daily-swig/simple-idor-vulnerability-in-reddit-allowed-mischief-makers-to-perform-mod-actions

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version