CSRF (Cross-Site Forgery) vulnerability in Reddit, a social discussion and news site; forced adult-only content to be viewed by non-adult users.
Medium severity security error disabled certain settings. This opened up the possibility that malicious agents could redirect minors to content.
The bug report states the vulnerability as follows: “https://old.reddit.com/over18 for a state-changingPOST request, sensitive action CSRF attacks. An attacker can trick users into taking the action.”
The attacker can enable/disable the "I'm over eighteen" option and be willing to display the adult content preference on the victim account.”
Once the victim's Reddit account has been created, it starts with going to https://old.reddit.com/prefs/ and turning off the option on that side that is enabled to view adult content over 18 years old.
Next, the user can download the "not safe for work" (NSFW) subdirectory https://www.reddit.com/r/ visits, where there is a window asking if the user wants to see mature content. If they then open a crafted HTML file containing malicious content, their settings will be updated and they may unwittingly view NSFW content.
The issue was fixed by Reddit, and the security researcher received a $500 bug bounty for reporting it.
Source:
