I’m the sort of hip cat who frequents Internet Bulletin Boards. Recently I found myself needing to verify the email address associated with my Reddit account.
The email I received from Reddit was charmingly lo-fi and eschewed those bourgeois capital letters.
Notice the (teensy tiny) flaw? Yup, it’s using vanilla “http” rather than the super secure “https”.
Earlier this year, Reddit switched on SSL for their entire site. Somewhat annoyingly though, they do not force SSL for the site. If you want to ensure all your sessions are encrypted, you have to manually set it up in your preferences.
I find that a little disappointing. I know that there is a cost associated with 100% SSL coverage on a major site like Reddit, but surely because of the site’s popularity they should mandate it?
Anyway, I reported this minor problem to the security email address listed on their bugs page. A few minutes later, they replied.
Thanks for the report! While I don’t believe there’s any vulnerability introduced if we leak the verification token here (being that the intended recipient must have wanted to verify it if they clicked it, and tokens are tied to both the email and account,) I’ve got a fix for this that should go out this week.
A day or two later and it was fixed.
I’m trying really hard to come up with a malicious use for a MITM attack on this. There’s not much.
The “dest” parameter doesn’t appear to be hackable. It won’t point to any site other than Reddit. So you can’t redirect the user to a malicious site. What you can do is redirect to any Reddit post or page. Perhaps sending someone to a particularly disgusting post could be legally disadvantageous?
Of course, a malicious actor on the network could sniff the user’s login credentials if the user hadn’t noticed the lack of HTTPS.
So, there we are. A minor bug, swiftly fixed – and a general reminder that when you switch on HTTPS, make sure all of your communications with your users are updated to reflect that fact.