IDOR for Coins: How I Paid Less and Got More on Reddit’s PayPal Checkout

A security researcher discovered a vulnerability in Reddit’s PayPal coin payment system in 2021 and was awarded a $500 bounty.
The issue, known as an Insecure Direct Object Reference (IDOR) vulnerability, allowed the researcher to manipulate transaction references to get a larger coin package for a lower payment.
The missing authorisation check meant that the researcher could authenticate a smaller payment for a bigger package, which could lead to abuse and potential financial loss for Reddit.
The case highlighted the need for rigorous checking of transaction IDs and reference numbers and reinforced the importance of never trusting client-side IDs.
It served as a reminder of the importance of security research in uncovering such vulnerabilities before malicious actors can exploit them and of the value of bounty programs in rewarding such behaviour.
This story can only be viewed by members on the HACKREAD platform.

Fast Feed