[Reddit] Able to bypass email verification and change email to any other user email ($5000 USD)
We discussed this vulnerability during Episode 143 on 09 May 2022
Seems like a case of a generic endpoint being implemented up update any field provided without consideration of other restrictions on said field. In this case we have a PATCH /api/v2.0/accounts/<account_id>
endpoint which ultimately takes in a dictionary containing field/value pairs to be updated for the account id. By editing the request to include the email
field, it can be updated to any new value without going through the normal verification process. While I cannot be sure without seeing Reddit’s code this seems to me like the endpoint probably just takes the provided fields checks if it exists and updates it creating this situation where you could provide unexpected fields to be updated.