About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Race condition leads to Inflation of coins on Reddit- 663

yashrs - HackerOnePosted 4 Years Ago
  • Reddit has coins that can be purchased. These coins can be used to give awards and do other things on Reddit. The API depends on the application, since some go through Paypal, some go through the Apple Store and some go through the Google Play store.
  • When calling the verify_purchase endpoint (which contains information from the payment in Google) there existing a Time of Check vs. Time of Use (TOCTOU) vulnerability. There is verification being done. However, by making the same request several times concurrently, the money gets added multiple times.
  • In the report, the developers at Reddit mention that they look for this type of issue by creating a DB lock to prevent this. But, the bug appears to be in the memcache lock having multiple entries because of the concurrent requests. Actual verification of the testing is important to verify a fix, as complicated eco-systems add unexpected outcomes.
  • Overall, a great and impactful bug in the Reddit coin handling. Damn, race conditions are so fun!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed