Gaining unprivileged access to Reddit moderator logs

Here we go. Again.

IDOR, or insecure direct object reference, is a common yet insecure practice of referring to objects. By “insecure”, this simply means that it is easy to figure out what the pattern of how objects are named. For example, the typical case of IDORs are numerical IDs that increment by one, such as the first three user IDs of this system being user_10001 , user_10002, and user_10003. If there are 5000 users, we can probably assume there is a user_12352 and a user_14999 . We might not know who exactly are these random users, but we now have figured out how to directly reference objects in a predictable manner.

By itself, it causes no vulnerability, but it allows attackers to gain valuable insight into how an application functions and references its own objects. This becomes a weakness for the application since any endpoint that forgets to check for authorization can easily become abused. Finding these targets is not particularly complex nor takes much effort to take attack. Previous bug bounties for this vulnerability type include a $20,000 bug bounty from GitLa and a $2500 bug bounty from Shopify.

I will be looking at a recent disclosure of an IDOR HackerOne user high_ping_ninja found on a Reddit endpoint earning a $5000 bug bounty.

I’m going to go over a recently disclosed and fixed bug found by HackerOne user high_ping_ninja on the social media site Reddit. The original report can be found here at H1, and all credit goes to high_ping_ninja on finding this bug.

In Reddit, communities can gather and connect on subreddits, which serve as individual forums with their own set of guidelines for allowed content. Subreddits are usually patrolled by moderators, who serve as admin making sure all members of a subreddit are respecting their guidelines. They can take actions, such as banning members or delete posts and messages, at their discretion. All “moderator” actions are stored in a Moderation Log for each subreddit.

high_ping_ninja discovered that requests to get this mod log where not checking whether or not the user requesting the value was indeed a moderator for that particular subreddit. This basically meant that any account could access sensitive messages and other moderator actions of any subreddit. By sending the following POST request, a user could access any mod log by changing the name of the subreddit.

There is some more nuance to the response of this request you can read about here, but basically, it successfully returns the moderator log. This is not a numerical IDOR, but rather the IDOR simply is the fact that the API references the subreddit by name. By virtue of knowing the name of a subreddit, you know how the Reddit backend references it as an object as well.

This was granted a bug bounty of $5000 with a high severity rating with the reasoning of Reddit staff member goku_reddit:

The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions. (source: HackerOne)

Bugs don’t have to be complex to have great value!

Want to Connect?Please consider contacting me at [email protected] following me on Medium, buying me a coffee, following me on twitter, or connecting with me on LinkedIn!