| Exposed proxy allows to access internal reddit domains |
Improper Access Control - Generic |
la_revoltage |
High |
2025-02-24 |
| IDOR lets a malicious user reveal the unpinned achievement badges of any Reddit user |
Insecure Direct Object Reference (IDOR) |
saurabhb |
Low |
2024-08-09 |
| Infromation Disclosure To Use of Hard-coded Cryptographic Key |
Use of Hard-coded Cryptographic Key |
ahmed_xyz |
Medium |
2024-02-06 |
| Regression on dest parameter sanitization doesn't check scheme/websafe destinations |
Cross-site Scripting (XSS) - Reflected |
mrzheev |
Medium |
2023-06-03 |
| Rate limit is implemented in Reddit , but its not working . |
Improper Authentication - Generic |
suryanm |
Low |
2023-05-18 |
| Broken links make users from France unable to understand the allowed content policy |
None supplied |
ardyanv1ckyramadhan |
None |
2023-05-18 |
| HTML injection in API response including request url |
Remote File Inclusion |
prilvesh |
Critical |
2023-05-18 |
| read and message other user's messages |
Insecure Direct Object Reference (IDOR) |
beksem35 |
Critical |
2023-05-18 |
| oauth misconfigration lead to account takeover |
Incorrect Authorization |
greymanx1 |
No rating |
2023-05-18 |
| CVE-2020-11022 |
Cross-site Scripting (XSS) - Reflected |
greymanx1 |
Medium |
2023-05-18 |
| Reflected XSS via File Upload |
Cross-site Scripting (XSS) - Reflected |
greymanx1 |
Medium |
2023-05-18 |
| [accounts.reddit.com] Redirect parameter allows for XSS |
Cross-site Scripting (XSS) - Generic |
dvorakxl |
High |
2023-05-18 |
| Huge amount of Subdomains Takeovers at Reddit.com |
Improper Access Control - Generic |
krrishbajaj |
Medium |
2023-05-18 |
| No rate limit leads to spaming post |
Improper Authentication - Generic |
nshcys3c |
Medium |
2023-05-18 |
| Blind SSRF to internal services in matrix preview_link API |
Server-Side Request Forgery (SSRF) |
la_revoltage |
High |
2023-04-26 |
| RichText parser vulnerability in scheduled posts allows XSS |
Cross-site Scripting (XSS) - Stored |
la_revoltage |
High |
2023-04-20 |
| Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application. |
Improper Access Control - Generic |
41bin |
High |
2022-11-14 |
| sensitive data exposure |
Insecure Storage of Sensitive Information |
saibalaji143_ |
High |
2022-11-10 |
| api keys leaked |
Improper Access Control - Generic |
saibalaji143_ |
Medium |
2022-11-10 |
| Reddit talk promotion offers don't expire, allowing users to accept them after being demoted |
Insecure Direct Object Reference (IDOR) |
ahacker1 |
Medium |
2022-10-03 |
| Open Redirect on www.redditinc.com via `failed` query param bypass after fixed bug #1257753 |
Open Redirect |
lu3ky-13 |
Medium |
2022-09-30 |
| IDOR allows an attacker to modify the links of any user |
Insecure Direct Object Reference (IDOR) |
criptex |
High |
2022-09-30 |
| Unrestricted File Upload on reddit.secure.force.com |
None supplied |
heckintosh |
Low |
2022-09-30 |
| XSS Reflected on reddit.com via url path |
Cross-site Scripting (XSS) - Reflected |
criptex |
High |
2022-09-27 |
| Open Redirect on www.redditinc.com via `failed` query param |
Open Redirect |
lu3ky-13 |
Medium |
2022-09-22 |
| Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability |
Insecure Direct Object Reference (IDOR) |
high_ping_ninja |
High |
2022-08-04 |
| XSS in redditmedia.com can compromise data of reddit.com |
Cross-site Scripting (XSS) - Stored |
keer0k |
Medium |
2022-08-03 |
| One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com |
Improper Access Control - Generic |
fransrosen |
Critical |
2022-08-02 |
| Can use the Reddit android app as usual even though revoking the access of it from reddit.com |
Insufficient Session Expiration |
sateeshn |
Critical |
2022-07-16 |
| Open Redirect through POST Request in www.redditinc.com |
Open Redirect |
kratul |
Medium |
2022-07-08 |
| Moderators can send messages to users from banned subreddits via `oauth.reddit.com/api/mod/conversations` |
Improper Input Validation |
ba-reynolds |
Low |
2022-07-04 |
| Able to approve admin approval and change effective status without adding payment details . |
Business Logic Errors |
bisesh |
High |
2022-06-22 |
| CSRF (protection bypassed) to force a below 18 user into viewing an nsfw subreddit ! |
Cross-Site Request Forgery (CSRF) |
marvelmaniac |
Medium |
2022-06-16 |
| Several Subdomains Takeover |
None supplied |
3amii |
High |
2022-06-08 |
| Misconfigurated login page able to lock login action for any account without user interaction |
None supplied |
ug0x01 |
Critical |
2022-06-06 |
| Reflected xss in https://sh.reddit.com |
Cross-site Scripting (XSS) - Reflected |
abhiramsita |
High |
2022-05-08 |
| Able to bypass email verification and change email to any other user email |
Improper Access Control - Generic |
bisesh |
High |
2022-05-06 |
| Regular Expression Denial of Service vulnerability |
Uncontrolled Resource Consumption |
dingleberryfarts |
Medium |
2022-04-12 |
| registering with the same email address multiple times leads to account takeover |
Improper Authentication - Generic |
whitehacker18 |
Low |
2022-03-14 |
| XSS via Mod Log Removed Posts |
Cross-site Scripting (XSS) - Stored |
ahacker1 |
High |
2022-03-10 |
| Application level DOS at Login Page ( Accepts Long Password ) |
None supplied |
e100_speaks |
High |
2022-02-07 |
| Weak rate limit could lead to ATO due to weak password protection mechanisms |
Improper Restriction of Authentication Attempts |
bombon |
Low |
2021-12-15 |
| [dubsmash] Username and password bruteforce |
Improper Restriction of Authentication Attempts |
asce21 |
Low |
2021-12-13 |
| com.reddit.frontpage vulernable to Task Hijacking (aka StrandHogg Attack) |
Phishing |
nexus2k |
Medium |
2021-12-13 |
| [dubsmash] Long String in 'shoutout' Parameter Leading Internal server Error on Popular hastags , Community and User Profile |
Uncontrolled Resource Consumption |
sandeep_rj49 |
High |
2021-12-13 |
| No Rate limit on change password leads to account takeover |
Improper Restriction of Authentication Attempts |
dreamispossible |
Low |
2021-12-13 |
| Image queue default key of 'None' and GraphQL unhandled type exception |
Type Confusion |
moblig |
Medium |
2021-10-27 |
| Outsider can affect Upvote Percentage of private subreddit post by calling /api/vote API |
Improper Access Control - Generic |
trieulieuf9 |
Low |
2021-10-27 |
| Third party app could steal access token as well as protected files using inAppBrowser |
Information Disclosure |
rahulkankrale |
Medium |
2021-10-27 |
| Race condition leads to Inflation of coins when bought via Google Play Store at endpoint https://oauth.reddit.com/api/v2/gold/android/verify_purchase |
Time-of-check Time-of-use (TOCTOU) Race Condition |
yashrs |
Medium |
2021-10-27 |
| Content Spoofing/Text Injection at https://gateway-production.dubsmash.com |
User Interface (UI) Misrepresentation of Critical Information |
karthik86 |
None |
2021-10-27 |
| Missing rate limit in current password change settings leads to Account takeover |
Brute Force |
m0hacks |
Medium |
2021-10-27 |
| Deleting all DMs on RedditGifts.com |
Insecure Direct Object Reference (IDOR) |
parasimpaticki |
High |
2021-10-21 |
| s3 bucket takeover presented in https://github.com/reddit/rpan-studio/blob/e1782332c75ecb2f774343258ff509788feab7ce/CI/full-build-macos.sh |
Business Logic Errors |
bhatiagaurav1211 |
High |
2021-10-21 |
| GPS metadata preserved when converting HEIF to PNG |
Privacy Violation |
ianonavy |
High |
2021-10-21 |
| Hash-Collision Denial-of-Service Vulnerability in Markdown Parser |
Denial of Service |
nicolaas |
Medium |
2021-10-21 |
| S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com) |
Improper Access Control - Generic |
dinesh07 |
Low |
2021-10-21 |
| Broken Authendication And Session Management |
Improper Access Control - Generic |
kedibeauty |
No rating |
2021-10-21 |
| Vulnerability Name: URL Redirection / Unvalidate Open Redirect |
Open Redirect |
hasnain_123 |
No rating |
2021-10-21 |
| critical file found etc/passwd on www.reddit.com |
Information Disclosure |
himan253 |
High |
2021-10-21 |
| XSS |
Cross-site Scripting (XSS) - Generic |
shylo |
None |
2021-10-21 |
| Oauth Misconfiguration Lead To Account Takeover |
Improper Authorization |
shylo |
Medium |
2021-10-21 |
| Email Verification Bypass And Get access to user's private invitation. |
Business Logic Errors |
manish_prajapat |
Medium |
2021-10-21 |
| No Password Length Restriction leads to Denial of Service |
Uncontrolled Resource Consumption |
c_j_27 |
None |
2021-10-21 |
| Content Spoofing |
Phishing |
abdallah1911 |
Low |
2021-10-21 |
| hardcoded api secret & api key in com.reddit.frontpage |
Improper Authentication - Generic |
0xcharan |
Critical |
2021-10-21 |
| [dubmash] Lack of authorization checks - Update Sound Titles |
Improper Authorization |
sandeep_rj49 |
High |
2021-10-21 |
| IDOR to pay less for coin purchases on oauth.reddit.com via /api/v2/gold/paypal/create_coin_purchase_order in `order_id` parameter |
Business Logic Errors |
yanouhd |
Medium |
2021-10-21 |
| No Rate Limit on redditgifts gift when Adding Comment |
Violation of Secure Design Principles |
bhatiagaurav1211 |
Low |
2021-10-21 |
| Domain Takeover of Reddit.ru via DNS Hijacking |
Improper Access Control - Generic |
faberge |
Medium |
2021-10-21 |
| User Account has been taken out |
Weak Cryptography for Passwords |
ravitejag |
Critical |
2021-10-21 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles