Reddit Enabled Attackers to Perform Mod Actions due to IDOR Flaw

 

Due to a vulnerability in Reddit, attackers were able to execute moderator activities or elevate normal users to mod status without the necessary authorization.  Since Reddit admins have the ability to pin or remove content, block other users, and modify subreddit metadata, the weakness may have allowed for all sorts of mischief. 
According to a recent HackerOne report, a bug researcher with the handle ‘high ping ninja’ discovered that while attempting to access the mod logs using GraphQL, Reddit failed to validate if the user was a moderator of a certain subreddit. 
“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained. 
On August 3, an insecure direct object reference (IDOR) flaw was reported and patched on the same day. Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied data. 
The word IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article:

Liked it? Take a second to support IT Security News on Patreon!
Become a patron at Patreon!