Moral of the story — be careful when you refactor code

Refactoring code is common place, especially as a code base grows, more complexity is added to existing functionality, and new technologies are introduced that improve performance. Refactoring is usually a pain in the ass since you have to make sure everything that was once working still works in the new format. Any mistake can introduce new bugs, and in Reddit’s case, this bug cost them $5000.

HackerOne user bisesh submitted a report to Reddit describing a broken access control on the https://ads.reddit.com domain. Broken access control was listed as the “most serious web application security risk” in OWASP’s 2021 Top 10 security list. Essentially, bugs resulting in this type of weakness allow users to gain permissions they are not supposed to. This can include viewing/editing data for which you do not have permissions (i.e accessing another users’ sensitive information), bypassing certain checks, or acting as admin when you are not an actual admin.

This is exactly what bisesh found. Essentially, bisesh noticed that after an ad campaign was created on Reddit’s site, there needed to be approval from Reddit admins to verify that a payment was verified. However, by sending a certain PATCH request regarding the ad, bisesh was able to bypass this admin approval and simply activate the team’s own ad campaign. This two step process broke the standard access control.

According to Reddit’s team, the API originally had functionality that checked the privileges of the user sending the PATCH request. If it was not an admin, then the request was blocked. However, during a code refactoring, this functionality was moved elsewhere and was not noticed by the team or by unit tests previously set up.

The summary from bisesh ‘s report:

In https://ads.reddit.com/ you can create campaign under which you can create ads , once you create new campaign , it is on pending stage and will not be delivered unless you add payment details and is reviewed by admin and approved according to what it says here https://advertising.reddithelp.com/en/categories/ad-review/about-reddits-ad-review-process . But changing the value of admin_approval to APPROVED and effective_status to ACTIVE , the ads is approved and thus we receive the confirmation email from reddit ads that our ads is approved . (source: HackerOne Report)

bisesh provided reproducible steps that included 1) creating a campaign 2) sending the following PATCH request to update the value to approved.

This bug is quite simple: simply send a PATCH request and you can approve your own ad campaigns without paying for them. Therefore, this has a huge business implication for Reddit. Reddit Ads generates millions of dollars (over $100 million USD in 2021 quarter 2, according to this). Being able to bypass a core profit generator would be a major issue for Reddit. The combination of this being a very easy and doable exploit with this huge impact on the business aspect makes this worth a $5000 bounty. As the Reddit staff best put it, “it was a good one”.

Incredible work again by bisesh, and congrats on your $5000 bounty. Thanks for reading through and please leave any constructive feedback, suggestions, or questions below! If you enjoyed, please consider following me on Medium. Contact me at [email protected], follow me on twitter, and connect with me on LinkedIn!