193 matches found
North Korean Hackers Are Attacking US Hospitals
Plus: Deepfake disinformation spotted in the wild, Android privacy problems in China, Reddit gets phished, and more...
Reddit breached, here's what you need to know
On Thursday, February 9, 2023, Reddit reported that it had experienced a security incident as a result of an employee being phished. What happened? According to Reddit, it "became aware of a sophisticated phishing campaign" late on February 5, 2023, that attempted to steal credentials and...
Reddit Hacked After Employee Bites on Phishing Scam
By Deeba Ahmed According to Reddit, the breach took place after one of its employees fell for a phishing scam email sent through a malicious fake website. This is a post from HackRead.com Read the original post: Reddit Hacked After Employee Bites on Phishing Scam...
RedditOnRails 访问控制错误漏洞
RedditOnRails is a Reddit-like site built on Ruby on Rails. An access control error vulnerability exists in RedditOnRails, which stems from incorrect access control...
Reddit: oauth misconfigration lead to account takeover
Vulnerability description not provided...
Reddit: api keys leaked
Summary: Disclosure of valid private keys may lead to unauthorized access to any systems that use them for authentication. Verify whether any keys disclosed are actually valid, and whether their disclosure within the application is appropriate Impact: Disclosure of valid private keys may lead to...
Reddit: read and message other user's messages
Vulnerability description not provided...
A week in security (August 22 - August 28)
Last week on Malwarebytes Labs: Cryptojackers growing in numbers and sophistication CISA wants you to patch these actively exploited vulnerabilities before September 8 Reddit users crowdsourcing explicit images and identities Criminals socially engineer their way to bank details with fake arrest...
Reddit users crowdsourcing explicit images and identities
The BBC is warned of a large photograph trading ring which operated on popular group forum site Reddit. These warnings are in relation to stolen nude photographs and other content shared without permission. In this case, even non-explicit photos are being posted alongside frequently degrading and...
Reddit: IDOR allows an attacker to modify the links of any user
Hi team! I found an IDOR which allows to modify the links of any user. Users can put their custom links or social media links on their profile, ex: F1855366 To reproduce this: - Replicate the following request by replacing it with your own authentication headers: You must also put in the body of...
Reddit: Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability
Summary: There's no check if the user is moderator of the particular subreddit or not while trying to access the mod logs via gql.reddit.com by using operation id. You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of...
Reddit: Reddit talk promotion offers don't expire, allowing users to accept them after being demoted
Description: When promoting a user to a speaker/host, an offerId is created which can be accepted by the user. However, after accepting them the offerIds don't expire. This means that after the user is demoted back to a listener, they can still use the offerIds to go back to their previous promot...
Reddit: Can use the Reddit android app as usual even though revoking the access of it from reddit.com
Summary: Hi Team, For the last 4 days, I kept testing reddit web. That time, I revoked app access from the old.reddit.com and i checked my app and as expected i was not able to use the account in my app. After 2 days I was checking the chat invites feature on the web and after some time I turned ...
Reddit: Rate limit is implemented in Reddit , but its not working .
Vulnerability description not provided...
Malicious code in reddit-client-lib (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6334d220686bbc61b76a7ebb42383b2aaba756c99ec547cdf39748884d32fd3e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-5720 Malicious code in reddit-client-lib (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6334d220686bbc61b76a7ebb42383b2aaba756c99ec547cdf39748884d32fd3e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Reddit: Several Subdomains Takeover
there are some subdomains in reddit.com those are vulnerable to takeover subdomain attack. I found these subdomains while I have been testing the subdomains of reddit.com. Steps To Reproduce: add details for how we can reproduce the issue 1. create a user account in reddit.com. 2. there are some...
Reddit: Misconfigurated login page able to lock login action for any account without user interaction
Summary While observing a few things about the login feature, I found that the account was locked after a certain number of requests. Although this feature is actually added to prevent problems such as rate limit, it is open to account lock attacks by attackers. PoC 1. Save this code as exploit.p...
Reddit Terminal Viewer (RTV) vulnerable to argument injection attacks
scripts/inspectwebbrowser.py in Reddit Terminal Viewer RTV 1.19.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL...
GHSA-336H-Q7MH-8VF8 Reddit Terminal Viewer (RTV) vulnerable to argument injection attacks
scripts/inspectwebbrowser.py in Reddit Terminal Viewer RTV 1.19.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL...