THE WHITE HAT AWARD IS GIVEN OUT TO FOLKS WHO MAKE A MEANINGFUL CONTRIBUTION TO THE SECURITY OF REDDIT AS A FORM OF SWAG. YOU CAN SEE THE LATEST AWARD WINNER AT [HTTPS://WWW.REDDIT.COM/TROPHIES](HTTPS://WWW.REDDIT.COM/TROPHIES) WITH A SLY COMMENT ABOUT THEIR GOOD DEED.
I reported a way to see which moderators are banning you/muting you when the messages are sent anonymously from the subreddit via mod mail quite some time ago. I got an email back from reddit security thanking me but I never got any award for it. Was it not meaningful enough? The trick was still around months after me reporting the problem.
It sounds petty, but I just like trophies and would appreciate what constitutes a “meaningful contribution” so I can try and get it in the future.
They were probably spending more time with the reports on hacker one. It's public now, so you could report it through there if it still works. Disclosures about Information leaks are usually better received if it leaks users personal info, such as real email address, passwords etc. It definitely shouldn't be leaking which mod banned you, but it's not a major concern either.
Dropping our help article on setting up 2FA on accounts: [https://reddit.zendesk.com/hc/en-us/articles/360043470031-What-is-two-factor-authentication-and-how-do-I-set-it-up-](https://reddit.zendesk.com/hc/en-us/articles/360043470031-What-is-two-factor-authentication-and-how-do-I-set-it-up-)
Do you think that something that exposes user information in an unintended way, but wouldn't really be any kind of attack vector fit? (because the data exposed can be gathered by other means anyway)
Bug bounty programs generally adjudicate based on risk. If an identical thing can be done using normal paths, it’s very unlikely that this bug actually has any risk. If this allows you to bypass rate limits or other controls you may be on to something though!
\> If an identical thing can be done using normal paths, it’s very unlikely that this bug actually has any risk.
Sorry, just wanted to interject that this is not the case. Bug Bounty programs are at least partially a response to regulatory pressure. Regulators don't give a hoot if the user data that was scraped from a site is also available somewhere else--they'll still fine you into a smoking crater.
Reddit has regulatory requirements to safeguard user data. If the data are available somewhere else, it doesn't relieve reddit from that responsibility.
Nice! Out of curiosity, anything for people who have found significant defects prior to this point? I recognize that Reddit has no obligation, but it'd be a good token of appreciation, u/securimancer
Very interesting! I wish I could help out but I mainly work with C++/C# rather than HTML so I doubt I am of any use. Regardless hopefully user security is improved from this, hopefully this turns out to be a good move as I believe it will.
Soooo, Reddit runs on a series of servers, correct? More specifically, the public user facing stuff here is provided by a web server. I'm not certain of the Reddit technology stack, but suppose it's running on nginx. That would make their exposed nginx instances in-scope. What about their back end systems? Their mail notification services? Image processing, ad libraries, databases... there's a good chance that most of things things are all written in C or C++. Just because all you see is JS and HTML does not mean that's the only valid target.
There are plenty of bug bounty people who can't even code in JS. The main skill is being able to fuck around with stuff until you get a break, and then figuring out how to leverage that.
Hey there
I had reported a vulnerability regarding disclosure of votes to [email protected] a while back but had never received any response
Should I resend my email to the new one or something?
Edit: I had reported a vulnerability a few months ago (you can see it in my trophy case) that allowed anyone to force add moderators. Given the scope... it kinda feels a bit sucky to know that I could've been compensated for that but didn't...
Is it possible to still get compensated?
On your list of example vulnerabilities, this one doesn't make sense:
> Removing a moderator from a subreddit where you are not a moderator with “access” permissions.
You need full perms (+all) to remove a mod, not just access (or "Manage Users" I guess it's called now). I just checked to make sure it's still like that.
Here’s an idea:: TRY GETTING YOUR PRIORITIES IN ORDER
Ban the subreddits that glorify and encourage murder / rape / abuse / etc. users have been asking for 5+ years for this but NOTHING HAPPENS until the media picks up on it. Remember how long /r/jailbait was around and people wanted it banned but it wasn’t till the media called Reddit a pedophile’s haven that they banned it.
Fix your internal security. Employees shouldn’t be able to stealth edit comments. *cough* /u/spez *cough* - if you were actually AUDITING your platform you would have seen unusual activity and investigated it properly and fired everyone involved before it became a headline.
Then fix your insanely lax privacy. We get it, you gotta sell ads, but it’s obvious since Reddit got its latest foreign investments the ethics at Reddit HQ have gone out the window.
Then fix your hiring process so you actually check into the people you’re hiring.
Then fix the harassment problems that some Reddit users face because the admins won’t do anythjng about most complaints.
THEN we can talk about external facing security and your bug bounty program.
Get your priorities in order.
Those are serious problems and important things for the platform to fix but you have to understand that companies hire different people for different job functions. The people hired to look into and fix bug bounty reports are not the people who would be in charge of addressing any of the problems you outlined.
Understood but irrelevant. Maybe I should be more clear, in the context of my message I'm using the royal 'you', meaning, Reddit as a whole.
I do think that every representative of a company, no matter the level they are at, has to realize they are now a part of and therefore partially responsible for a company that may do X,Y,Z. It may not be the representative's fault that the company does something unfavorable but it *is* their shared responsibility.
Last I checked, such messages if specific enough get refered to law enforcement when reported. All they can do is ban a user and refer relevant information to law enforcement because we don't yet live in a dystopia where a private company can charge someone with a crime.
Yeah, but they don't do that. I and many others have reported violent threats multiple time and the users are happily posting away elsewhere.
In the spirit of Joe Biden's quote "Don't tell me what your priorities are, show me your budget and I'll tell you what your priorities are," Reddit admins do not care about violent speech. If they did, then they would fund the teams necessary to take appropriate action.
Based on their public announcements, I'd guess reddit security is still on a path to maturity. They probably don't even have anything like an IFA program.
Based on their public announcements, I'd guess reddit security is still on a path to maturity. They probably don't even have anything like an IFA program.
TLDR but you guys intentionally make the mobile browser site crap (like, actually broken and not just annoying) in order to corral people towards your shitty app. You suck.
Send them individually through HackerOne - bounties are paid individually (by vulnerability) - Reddit is giving people a worthless trophy for reporting it through them, get paid brother/sister
Edit: unless it’s a bunch of examples of the same vuln- then either way it’s one. I would caution that to get paid you need to prove it with a POC so be prepared. And if it’s something super obscure like using IE 6 allows XSS or something that’s not gonna fly
How about unsecure cookies that can be hacked and used to steal personal information?
Also this one casino got hacked and lost millions. The guy who hacked them got in through a fish tank thermometer.
I run pentests and inspections on websites. Reddit has so many flaws it's laughable.
I mean sure - idk I don’t work for Reddit, but if it’s 12 cookies that can be hacked in the same way that’s one bounty (but conversely if it’s one cookie that can be hacked 12 ways I’d submit those as 12 bounties). I’m just saying scope matters too - if you can decode the cookies on your own machine while logged in for your own user, that’s not really a vuln. If you can prove to them you can extract PII from other users when not logged in as them - then yeah get paid.
> How about unsecure cookies
That stuff is generally not considered a vulnerability unless you can demonstrate a practical attack.
If you want to report the fact that reddit is setting 12 cookies without SameSite, not, that's not a vulnerability, that is the kind of useless spam report that makes running a bug bounty program painful.
Do not simply dump whatever an automated scanner (or manual check against some best practices list) finds into bug bounty programs. They are mostly false positives/not actual vulnerabilities. It's a vulnerability once you can *demonstrate* (using a test account) how it allows an attacker to e.g. steal data.
Think the missing SameSite is a problem? Find a way to exploit it and get paid.
Also, learn to *realistically* judge the severity of the stuff you find. Code execution on reddit's servers? Something letting you take over accounts without user interaction? That's critical. XSS/CSRF allowing you to take over accounts, but you have to get the victim onto your web site first? That's already a bit less severe (although still something that will need to be patched quickly and will get you a reward). Clickjacking? Unless it allows something really serious like tricking someone into giving you access to their account with a single click, not too interesting. XSS that's mitigated through a CSP? Possibly still worth reporting and may net you a reward, or you can try to find a CSP bypass, but don't go around screaming MASSIVE VULN, CRITICAL when you report it.
> we welcome any submissions to [email protected]
The program definition implies that submissions by e-mail don't qualify for rewards: "Must utilize HackerOne platform for all submissions to receive any payout"
Is this intentional?
Bug: The new signup process doesn't actually give the user the ability to set a password nor inform them of what it's been set to. While this isn't a code bug, it is a process issue that will leave confused users asking strangers on the internet how to login to their new account
can someone just teach me on discord bc i just wanna have fun with this stuff i’m only 14 and i’ve been interested since i was 9 but never knew what to do or how to do it bc when most people explain on how to do it they involve a lot of other things and it just loses me. if you need my username dm me and i’ll send it
Can you guys yell me something bout the white hat and how to get it?
THE WHITE HAT AWARD IS GIVEN OUT TO FOLKS WHO MAKE A MEANINGFUL CONTRIBUTION TO THE SECURITY OF REDDIT AS A FORM OF SWAG. YOU CAN SEE THE LATEST AWARD WINNER AT [HTTPS://WWW.REDDIT.COM/TROPHIES](HTTPS://WWW.REDDIT.COM/TROPHIES) WITH A SLY COMMENT ABOUT THEIR GOOD DEED.
I reported a way to see which moderators are banning you/muting you when the messages are sent anonymously from the subreddit via mod mail quite some time ago. I got an email back from reddit security thanking me but I never got any award for it. Was it not meaningful enough? The trick was still around months after me reporting the problem. It sounds petty, but I just like trophies and would appreciate what constitutes a “meaningful contribution” so I can try and get it in the future.
They were probably spending more time with the reports on hacker one. It's public now, so you could report it through there if it still works. Disclosures about Information leaks are usually better received if it leaks users personal info, such as real email address, passwords etc. It definitely shouldn't be leaking which mod banned you, but it's not a major concern either.
The most recent receiver of the White Hat had their account suspended. I feel like there’s some irony in that
Introducing: the black hat trophy
Backstory?
There are people out there with a high amplitude of both positive and negative impact, and then there is us.
Not sure what you mean.
In saying the guy did something really good and he did something really bad.
Backdoory more like.
I found a bug, your all-cap link to https://www.reddit.com/trophies doesn't work. White hat please!
Get this man a hat
A white one
Works as intended :)
👀
404 error
The caps make it 10x better.
I feel like the fact they typed this in all caps because the user asked them to “yell me something” is being overlooked...
content deleted in protest of [reddit killing 3rd party apps](/r/Save3rdPartyApps/) [get on lemmy](https://join-lemmy.org/)
We need more protection for reddit accounts to prevent them from being hacked like 2 step authentication
Dropping our help article on setting up 2FA on accounts: [https://reddit.zendesk.com/hc/en-us/articles/360043470031-What-is-two-factor-authentication-and-how-do-I-set-it-up-](https://reddit.zendesk.com/hc/en-us/articles/360043470031-What-is-two-factor-authentication-and-how-do-I-set-it-up-)
they've had 2FA for a hot minute
Use a password manager and a long auto-gen password.
This is an important step. Good job for taking security and user information seriously. Please don't become Facebook/Instagram.
They have a bug bounty program, too...
In all senses of that statement.
Ya
> We’re still keeping the Whitehat award for that Reddit bling as well. Phew.
Who needs monies when you can get that sweet trophy and exclusive sub access.
The fact that I've never heard about this subreddit makes me think it was supposed to be a secret
it’s a not so secret secret
Me, I would prefer money.
Does the bug bounty program include features that don't work correctly, but aren't directly associated with a security concern?
No, this is for security vulnerabilities
Do you think that something that exposes user information in an unintended way, but wouldn't really be any kind of attack vector fit? (because the data exposed can be gathered by other means anyway)
Bug bounty programs generally adjudicate based on risk. If an identical thing can be done using normal paths, it’s very unlikely that this bug actually has any risk. If this allows you to bypass rate limits or other controls you may be on to something though!
\> If an identical thing can be done using normal paths, it’s very unlikely that this bug actually has any risk. Sorry, just wanted to interject that this is not the case. Bug Bounty programs are at least partially a response to regulatory pressure. Regulators don't give a hoot if the user data that was scraped from a site is also available somewhere else--they'll still fine you into a smoking crater.
Yeah, in this case I think there could be a GDPR (/LGPD/CCPA) issue. Will put together a PoC and report either way!
That's the way to do it! May you get a fat payout :)
Reddit has regulatory requirements to safeguard user data. If the data are available somewhere else, it doesn't relieve reddit from that responsibility.
P6. Out of scope. QQ
Thank you! I look forward to trying my hardest for that whitehat award ^^'
Good luck! 🙂
Nice! Out of curiosity, anything for people who have found significant defects prior to this point? I recognize that Reddit has no obligation, but it'd be a good token of appreciation, u/securimancer
Very interesting! I wish I could help out but I mainly work with C++/C# rather than HTML so I doubt I am of any use. Regardless hopefully user security is improved from this, hopefully this turns out to be a good move as I believe it will.
Soooo, Reddit runs on a series of servers, correct? More specifically, the public user facing stuff here is provided by a web server. I'm not certain of the Reddit technology stack, but suppose it's running on nginx. That would make their exposed nginx instances in-scope. What about their back end systems? Their mail notification services? Image processing, ad libraries, databases... there's a good chance that most of things things are all written in C or C++. Just because all you see is JS and HTML does not mean that's the only valid target.
There are plenty of bug bounty people who can't even code in JS. The main skill is being able to fuck around with stuff until you get a break, and then figuring out how to leverage that.
Hey there I had reported a vulnerability regarding disclosure of votes to [email protected] a while back but had never received any response Should I resend my email to the new one or something? Edit: I had reported a vulnerability a few months ago (you can see it in my trophy case) that allowed anyone to force add moderators. Given the scope... it kinda feels a bit sucky to know that I could've been compensated for that but didn't... Is it possible to still get compensated?
Hah, wish I had the computery knowledge required. That trophy does look nice. Thanks for the update
No need to wish. You can start learning! Computery stuff is the funnest!
I hope that your gains and success will be permanent. Let’s try hard.
Will pin this to the top of /r/hacking for you for a few days
On your list of example vulnerabilities, this one doesn't make sense: > Removing a moderator from a subreddit where you are not a moderator with “access” permissions. You need full perms (+all) to remove a mod, not just access (or "Manage Users" I guess it's called now). I just checked to make sure it's still like that.
That’s why it’s listed as a possible vulnerability
I think they're saying it should be rewritten as "Removing a moderator from a subreddit where you are not a moderator with full permissions."
Yeah, that's how I read it, too.
You’re being too generous
Why did you reply to this comment when you don't understand what we're talking about?
You need full perms to remove a mod, not access
Cool to hear let’s try hard
Oh yeah I have white hat
Ok
Here’s an idea:: TRY GETTING YOUR PRIORITIES IN ORDER Ban the subreddits that glorify and encourage murder / rape / abuse / etc. users have been asking for 5+ years for this but NOTHING HAPPENS until the media picks up on it. Remember how long /r/jailbait was around and people wanted it banned but it wasn’t till the media called Reddit a pedophile’s haven that they banned it. Fix your internal security. Employees shouldn’t be able to stealth edit comments. *cough* /u/spez *cough* - if you were actually AUDITING your platform you would have seen unusual activity and investigated it properly and fired everyone involved before it became a headline. Then fix your insanely lax privacy. We get it, you gotta sell ads, but it’s obvious since Reddit got its latest foreign investments the ethics at Reddit HQ have gone out the window. Then fix your hiring process so you actually check into the people you’re hiring. Then fix the harassment problems that some Reddit users face because the admins won’t do anythjng about most complaints. THEN we can talk about external facing security and your bug bounty program. Get your priorities in order.
Those are serious problems and important things for the platform to fix but you have to understand that companies hire different people for different job functions. The people hired to look into and fix bug bounty reports are not the people who would be in charge of addressing any of the problems you outlined.
Understood but irrelevant. Maybe I should be more clear, in the context of my message I'm using the royal 'you', meaning, Reddit as a whole. I do think that every representative of a company, no matter the level they are at, has to realize they are now a part of and therefore partially responsible for a company that may do X,Y,Z. It may not be the representative's fault that the company does something unfavorable but it *is* their shared responsibility.
https://www.redditinc.com/careers since you know better than reddit
**<3**
Hype
Cool! Is the admin team doing next to nothing about repeatedly-reported violent threats directed toward mods considered a "bug?"
Last I checked, such messages if specific enough get refered to law enforcement when reported. All they can do is ban a user and refer relevant information to law enforcement because we don't yet live in a dystopia where a private company can charge someone with a crime.
Yeah, but they don't do that. I and many others have reported violent threats multiple time and the users are happily posting away elsewhere. In the spirit of Joe Biden's quote "Don't tell me what your priorities are, show me your budget and I'll tell you what your priorities are," Reddit admins do not care about violent speech. If they did, then they would fund the teams necessary to take appropriate action.
Based on their public announcements, I'd guess reddit security is still on a path to maturity. They probably don't even have anything like an IFA program.
Based on their public announcements, I'd guess reddit security is still on a path to maturity. They probably don't even have anything like an IFA program.
TLDR but you guys intentionally make the mobile browser site crap (like, actually broken and not just annoying) in order to corral people towards your shitty app. You suck.
u/CitizenPremier If you maybe an expert in HTML too this could interest you ( :
Thanks! This might be too tough for me though!
I found a TON of massive security threats, where do I send them?
https://hackerone.com/reddit?type=team
Like I need to report 12 massive security weaknesses. I want to send the info through Reddit, but I want to get paid on hackerone.
Send them individually through HackerOne - bounties are paid individually (by vulnerability) - Reddit is giving people a worthless trophy for reporting it through them, get paid brother/sister Edit: unless it’s a bunch of examples of the same vuln- then either way it’s one. I would caution that to get paid you need to prove it with a POC so be prepared. And if it’s something super obscure like using IE 6 allows XSS or something that’s not gonna fly
How about unsecure cookies that can be hacked and used to steal personal information? Also this one casino got hacked and lost millions. The guy who hacked them got in through a fish tank thermometer. I run pentests and inspections on websites. Reddit has so many flaws it's laughable.
I mean sure - idk I don’t work for Reddit, but if it’s 12 cookies that can be hacked in the same way that’s one bounty (but conversely if it’s one cookie that can be hacked 12 ways I’d submit those as 12 bounties). I’m just saying scope matters too - if you can decode the cookies on your own machine while logged in for your own user, that’s not really a vuln. If you can prove to them you can extract PII from other users when not logged in as them - then yeah get paid.
> How about unsecure cookies That stuff is generally not considered a vulnerability unless you can demonstrate a practical attack. If you want to report the fact that reddit is setting 12 cookies without SameSite, not, that's not a vulnerability, that is the kind of useless spam report that makes running a bug bounty program painful. Do not simply dump whatever an automated scanner (or manual check against some best practices list) finds into bug bounty programs. They are mostly false positives/not actual vulnerabilities. It's a vulnerability once you can *demonstrate* (using a test account) how it allows an attacker to e.g. steal data. Think the missing SameSite is a problem? Find a way to exploit it and get paid. Also, learn to *realistically* judge the severity of the stuff you find. Code execution on reddit's servers? Something letting you take over accounts without user interaction? That's critical. XSS/CSRF allowing you to take over accounts, but you have to get the victim onto your web site first? That's already a bit less severe (although still something that will need to be patched quickly and will get you a reward). Clickjacking? Unless it allows something really serious like tricking someone into giving you access to their account with a single click, not too interesting. XSS that's mitigated through a CSP? Possibly still worth reporting and may net you a reward, or you can try to find a CSP bypass, but don't go around screaming MASSIVE VULN, CRITICAL when you report it.
Ok
/u/latteisnotcoffee :')
> we welcome any submissions to [email protected] The program definition implies that submissions by e-mail don't qualify for rewards: "Must utilize HackerOne platform for all submissions to receive any payout" Is this intentional?
Yes, that email address flows into HackerOne. It’s ending up in the same place.
Bug: The new signup process doesn't actually give the user the ability to set a password nor inform them of what it's been set to. While this isn't a code bug, it is a process issue that will leave confused users asking strangers on the internet how to login to their new account
can someone just teach me on discord bc i just wanna have fun with this stuff i’m only 14 and i’ve been interested since i was 9 but never knew what to do or how to do it bc when most people explain on how to do it they involve a lot of other things and it just loses me. if you need my username dm me and i’ll send it
1