Bug fixed within 24 hours and $5,000 bug bounty awarded

Simple IDOR vulnerability in Reddit allowed mischief-makers to perform mod actions

A vulnerability in Reddit allowed attackers to perform moderator actions or elevate regular users to mod status without the appropriate permissions.

The flaw could have allowed for all kinds of mischief, as Reddit mods are privileged to perform actions such as pin or remove posts, ban other users, and edit subreddit information.


Read more of the latest hacking news


As detailed in a recent HackerOne report, a bug hunter with the handle ‘high_ping_ninja’ found that Reddit failed to check if the user was a moderator of a particular subreddit when they attempted to access the mod logs via GraphQL.

“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained.

Same-day fix

The insecure direct object reference (IDOR) bug was reported on August 3 and fixed on the same day.

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes.

The researcher was awarded a $5,000 bug bounty for the find.


DON’T MISS Pwn stars: The best Black Hat and DEF CON talks of all time