hardcoded api secret & api key in com.reddit.frontpage
👉 https://hackerone.com/reports/1241116
🔹 Severity: Critical
🔹 Reported To: Reddit
🔹 Reported By: #falcon_319
🔹 State: ⚪️ Informative
🔹 Disclosed: October 21, 2021, 7:47pm (UTC)
👉 https://hackerone.com/reports/1241116
🔹 Severity: Critical
🔹 Reported To: Reddit
🔹 Reported By: #falcon_319
🔹 State: ⚪️ Informative
🔹 Disclosed: October 21, 2021, 7:47pm (UTC)
s3 bucket takeover presented in https://github.com/reddit/rpan-studio/blob/e1782332c75ecb2f774343258ff509788feab7ce/CI/full-build-macos.sh
👉 https://hackerone.com/reports/1285598
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #bhatiagaurav1211
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:48pm (UTC)
👉 https://hackerone.com/reports/1285598
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #bhatiagaurav1211
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:48pm (UTC)
Content Spoofing
👉 https://hackerone.com/reports/1165919
🔹 Severity: Low
🔹 Reported To: Reddit
🔹 Reported By: #abdallah1911
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:49pm (UTC)
👉 https://hackerone.com/reports/1165919
🔹 Severity: Low
🔹 Reported To: Reddit
🔹 Reported By: #abdallah1911
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:49pm (UTC)
[dubmash] Lack of authorization checks - Update Sound Titles
👉 https://hackerone.com/reports/1102365
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #sandeep_rj49
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:49pm (UTC)
👉 https://hackerone.com/reports/1102365
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #sandeep_rj49
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:49pm (UTC)
IDOR to pay less for coin purchases on oauth.reddit.com via /api/v2/gold/paypal/create_coin_purchase_order in `order_id` parameter
👉 https://hackerone.com/reports/1213765
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #yanouhd
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:50pm (UTC)
👉 https://hackerone.com/reports/1213765
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #yanouhd
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:50pm (UTC)
Deleting all DMs on RedditGifts.com
👉 https://hackerone.com/reports/1213237
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #parasimpaticki
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:51pm (UTC)
👉 https://hackerone.com/reports/1213237
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #parasimpaticki
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:51pm (UTC)
No Password Length Restriction leads to Denial of Service
👉 https://hackerone.com/reports/1243009
🔹 Severity: No Rating
🔹 Reported To: Reddit
🔹 Reported By: #c_j_27
🔹 State: 🟤 Duplicate
🔹 Disclosed: October 21, 2021, 7:51pm (UTC)
👉 https://hackerone.com/reports/1243009
🔹 Severity: No Rating
🔹 Reported To: Reddit
🔹 Reported By: #c_j_27
🔹 State: 🟤 Duplicate
🔹 Disclosed: October 21, 2021, 7:51pm (UTC)
Email Verification Bypass And Get access to user's private invitation.
👉 https://hackerone.com/reports/1350401
🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #manish_prajapat
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:51pm (UTC)
👉 https://hackerone.com/reports/1350401
🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #manish_prajapat
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:51pm (UTC)
No Rate Limit on redditgifts gift when Adding Comment
👉 https://hackerone.com/reports/1202408
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Reddit
🔹 Reported By: #bhatiagaurav1211
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:52pm (UTC)
👉 https://hackerone.com/reports/1202408
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Reddit
🔹 Reported By: #bhatiagaurav1211
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:52pm (UTC)
Domain Takeover of Reddit.ru via DNS Hijacking
👉 https://hackerone.com/reports/1226891
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #faberge
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:52pm (UTC)
👉 https://hackerone.com/reports/1226891
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #faberge
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:52pm (UTC)
Oauth Misconfiguration Lead To Account Takeover
👉 https://hackerone.com/reports/1212374
🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #shylo
🔹 State: 🟤 Duplicate
🔹 Disclosed: October 21, 2021, 7:53pm (UTC)
👉 https://hackerone.com/reports/1212374
🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #shylo
🔹 State: 🟤 Duplicate
🔹 Disclosed: October 21, 2021, 7:53pm (UTC)
XSS
👉 https://hackerone.com/reports/1209098
🔹 Severity: No Rating
🔹 Reported To: Reddit
🔹 Reported By: #shylo
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:53pm (UTC)
👉 https://hackerone.com/reports/1209098
🔹 Severity: No Rating
🔹 Reported To: Reddit
🔹 Reported By: #shylo
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:53pm (UTC)
critical file found etc/passwd on www.reddit.com
👉 https://hackerone.com/reports/1187003
🔹 Severity: High
🔹 Reported To: Reddit
🔹 Reported By: #himan253
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:54pm (UTC)
👉 https://hackerone.com/reports/1187003
🔹 Severity: High
🔹 Reported To: Reddit
🔹 Reported By: #himan253
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:54pm (UTC)
User Account has been taken out
👉 https://hackerone.com/reports/1195340
🔹 Severity: Critical
🔹 Reported To: Reddit
🔹 Reported By: #ravitejag
🔹 State: 🟤 Duplicate
🔹 Disclosed: October 21, 2021, 7:55pm (UTC)
👉 https://hackerone.com/reports/1195340
🔹 Severity: Critical
🔹 Reported To: Reddit
🔹 Reported By: #ravitejag
🔹 State: 🟤 Duplicate
🔹 Disclosed: October 21, 2021, 7:55pm (UTC)
Vulnerability Name: URL Redirection / Unvalidate Open Redirect
👉 https://hackerone.com/reports/1182824
🔹 Severity: No Rating
🔹 Reported To: Reddit
🔹 Reported By: #hasnain_123
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:55pm (UTC)
👉 https://hackerone.com/reports/1182824
🔹 Severity: No Rating
🔹 Reported To: Reddit
🔹 Reported By: #hasnain_123
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:55pm (UTC)
Broken Authendication And Session Management
👉 https://hackerone.com/reports/1167029
🔹 Severity: No Rating
🔹 Reported To: Reddit
🔹 Reported By: #kedibeauty
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:56pm (UTC)
👉 https://hackerone.com/reports/1167029
🔹 Severity: No Rating
🔹 Reported To: Reddit
🔹 Reported By: #kedibeauty
🔹 State: 🔴 N/A
🔹 Disclosed: October 21, 2021, 7:56pm (UTC)
GPS metadata preserved when converting HEIF to PNG
👉 https://hackerone.com/reports/1069039
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #ianonavy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:57pm (UTC)
👉 https://hackerone.com/reports/1069039
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #ianonavy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 7:57pm (UTC)
S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com)
👉 https://hackerone.com/reports/1276733
🔹 Severity: Low
🔹 Reported To: Reddit
🔹 Reported By: #dinesh07
🔹 State: ⚪️ Informative
🔹 Disclosed: October 21, 2021, 8:00pm (UTC)
👉 https://hackerone.com/reports/1276733
🔹 Severity: Low
🔹 Reported To: Reddit
🔹 Reported By: #dinesh07
🔹 State: ⚪️ Informative
🔹 Disclosed: October 21, 2021, 8:00pm (UTC)
Misuse of groups feature allows workspace members to join private channels without being invited
👉 https://hackerone.com/reports/1248852
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #kmap
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 8:08pm (UTC)
👉 https://hackerone.com/reports/1248852
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #kmap
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 8:08pm (UTC)
Reflected XSS in TikTok endpoints
👉 https://hackerone.com/reports/1350887
🔹 Severity: Medium | 💰 4,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #sh1yo
🔹 State: 🟢 Resolved
🔹 Disclosed: October 22, 2021, 1:44am (UTC)
👉 https://hackerone.com/reports/1350887
🔹 Severity: Medium | 💰 4,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #sh1yo
🔹 State: 🟢 Resolved
🔹 Disclosed: October 22, 2021, 1:44am (UTC)
Broken link profile in the website leads to identity theft.
👉 https://hackerone.com/reports/1343733
🔹 Severity: Medium
🔹 Reported To: Lacework
🔹 Reported By: #spyata
🔹 State: 🟢 Resolved
🔹 Disclosed: October 22, 2021, 5:35pm (UTC)
👉 https://hackerone.com/reports/1343733
🔹 Severity: Medium
🔹 Reported To: Lacework
🔹 Reported By: #spyata
🔹 State: 🟢 Resolved
🔹 Disclosed: October 22, 2021, 5:35pm (UTC)