Another day, Another IDOR vulnerability— $5000 Reddit Bug Bounty
2022-8-6 13:22:32 Author: infosecwriteups.com(查看原文) 阅读量:47 收藏

Gaining unprivileged access to Reddit moderator logs

Photo by Susan Q Yin on Unsplash

Here we go. Again.

IDOR, or insecure direct object reference, is a common yet insecure practice of referring to objects. By “insecure”, this simply means that it is easy to figure out what the pattern of how objects are named. For example, the typical case of IDORs are numerical IDs that increment by one, such as the first three user IDs of this system being user_10001 , user_10002, and user_10003. If there are 5000 users, we can probably assume there is a user_12352 and a user_14999 . We might not know who exactly are these random users, but we now have figured out how to directly reference objects in a predictable manner.

By itself, it causes no vulnerability, but it allows attackers to gain valuable insight into how an application functions and references its own objects. This becomes a weakness for the application since any endpoint that forgets to check for authorization can easily become abused. Finding these targets is not particularly complex nor takes much effort to take attack. Previous bug bounties for this vulnerability type include a $20,000 bug bounty from GitLa and a $2500 bug bounty from Shopify.

I will be looking at a recent disclosure of an IDOR HackerOne user high_ping_ninja found on a Reddit endpoint earning a $5000 bug bounty.

Photo by CHUTTERSNAP on Unsplash

I’m going to go over a recently disclosed and fixed bug found by HackerOne user high_ping_ninja on the social media site Reddit. The original report can be found here at H1, and all credit goes to high_ping_ninja on finding this bug.

In Reddit, communities can gather and connect on subreddits, which serve as individual forums with their own set of guidelines for allowed content. Subreddits are usually patrolled by moderators, who serve as admin making sure all members of a subreddit are respecting their guidelines. They can take actions, such as banning members or delete posts and messages, at their discretion. All “moderator” actions are stored in a Moderation Log for each subreddit.

high_ping_ninja discovered that requests to get this mod log where not checking whether or not the user requesting the value was indeed a moderator for that particular subreddit. This basically meant that any account could access sensitive messages and other moderator actions of any subreddit. By sending the following POST request, a user could access any mod log by changing the name of the subreddit.

Original PoC POST request from high_ping_ninja at HackerOne

There is some more nuance to the response of this request you can read about here, but basically, it successfully returns the moderator log. This is not a numerical IDOR, but rather the IDOR simply is the fact that the API references the subreddit by name. By virtue of knowing the name of a subreddit, you know how the Reddit backend references it as an object as well.

This was granted a bug bounty of $5000 with a high severity rating with the reasoning of Reddit staff member goku_reddit:

The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions. (source: HackerOne)

Bugs don’t have to be complex to have great value!

Want to Connect?Please consider contacting me at [email protected] following me on Medium, buying me a coffee, following me on twitter, or connecting with me on LinkedIn!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!


文章来源: https://infosecwriteups.com/another-day-another-idor-vulnerability-5000-reddit-bug-bounty-22a75003d999?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh