Bug fixed within 24 hours and $5,000 bug bounty awarded
A vulnerability in Reddit allowed attackers to perform moderator actions or elevate regular users to mod status without the appropriate permissions.
The flaw could have allowed for all kinds of mischief, as Reddit mods are privileged to perform actions such as pin or remove posts, ban other users, and edit subreddit information.
As detailed in a recent HackerOne report, a bug hunter with the handle ‘high_ping_ninja’ found that Reddit failed to check if the user was a moderator of a particular subreddit when they attempted to access the mod logs via GraphQL.
“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained.
The insecure direct object reference (IDOR) bug was reported on August 3 and fixed on the same day.
“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes.
The researcher was awarded a $5,000 bug bounty for the find.