Reddit - HackerOne Reports
View on HackerOne71
Total Reports
7
Critical
21
High
24
Medium
12
Low
Infromation Disclosure To Use of Hard-coded Cryptographic Key
Reported by:
ahmed_xyz
|
Disclosed:
Medium
Weakness: Use of Hard-coded Cryptographic Key
api keys leaked
Reported by:
saibalaji143_
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Domain Takeover of Reddit.ru via DNS Hijacking
Reported by:
indianajson
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Bounty: $500.00
Race condition leads to Inflation of coins when bought via Google Play Store at endpoint https://oauth.reddit.com/api/v2/gold/android/verify_purchase
Reported by:
yashrs
|
Disclosed:
Medium
Weakness: Time-of-check Time-of-use (TOCTOU) Race Condition
Email Verification Bypass And Get access to user's private invitation.
Reported by:
manish_prajapat
|
Disclosed:
Medium
Weakness: Business Logic Errors
Able to bypass email verification and change email to any other user email
Reported by:
bisesh
|
Disclosed:
High
Weakness: Improper Access Control - Generic
Bounty: $5000.00
Open Redirect on www.redditinc.com via `failed` query param
Reported by:
lu3ky-13
|
Disclosed:
Medium
Weakness: Open Redirect
No Password Length Restriction leads to Denial of Service
Reported by:
c_j_27
|
Disclosed:
Weakness: Uncontrolled Resource Consumption
Missing rate limit in current password change settings leads to Account takeover
Reported by:
m0hacks
|
Disclosed:
Medium
Weakness: Improper Restriction of Authentication Attempts
IDOR to pay less for coin purchases on oauth.reddit.com via /api/v2/gold/paypal/create_coin_purchase_order in `order_id` parameter
Reported by:
yanouhd
|
Disclosed:
Medium
Weakness: Business Logic Errors
Bounty: $500.00
Deleting all DMs on RedditGifts.com
Reported by:
hakercic
|
Disclosed:
High
Weakness: Insecure Direct Object Reference (IDOR)
Bounty: $5000.00
com.reddit.frontpage vulernable to Task Hijacking (aka StrandHogg Attack)
Reported by:
nexus2k
|
Disclosed:
Medium
Weakness: Phishing
IDOR allows an attacker to modify the links of any user
Reported by:
criptex
|
Disclosed:
High
Weakness: Insecure Direct Object Reference (IDOR)
[dubsmash] Long String in 'shoutout' Parameter Leading Internal server Error on Popular hastags , Community and User Profile
Reported by:
sandeep_rj49
|
Disclosed:
High
Weakness: Uncontrolled Resource Consumption
[dubmash] Lack of authorization checks - Update Sound Titles
Reported by:
sandeep_rj49
|
Disclosed:
High
Weakness: Improper Authorization
Broken Authendication And Session Management
Reported by:
kedibeauty
|
Disclosed:
Weakness: Improper Access Control - Generic
Oauth Misconfiguration Lead To Account Takeover
Reported by:
shylo
|
Disclosed:
Medium
Weakness: Improper Authorization
s3 bucket takeover presented in https://github.com/reddit/rpan-studio/blob/e1782332c75ecb2f774343258ff509788feab7ce/CI/full-build-macos.sh
Reported by:
gaurav-bhatia
|
Disclosed:
High
Weakness: Business Logic Errors
Bounty: $5000.00
Open Redirect on www.redditinc.com via `failed` query param bypass after fixed bug #1257753
Reported by:
lu3ky-13
|
Disclosed:
Medium
Weakness: Open Redirect
Reflected xss in https://sh.reddit.com
Reported by:
abhiramsita
|
Disclosed:
High
Weakness: Cross-site Scripting (XSS) - Reflected
Bounty: $5000.00