Subreddit Security Holes Entertained This Hacker For Weeks
User accounts compromised; Software vulnerability
The hacker, who goes by the name BVM, says he’s taken over so many subreddit threads that he’s “lost count,” but estimates that the number is higher than 70. The popular r/pics,r/starwars, and r/gameofthrones, among others, have seen their homepages defaced in the last few days.
The website’s lack of two-factor authentication and other insecurities have helped his cause.
BVM, who declined to identify himself other than saying he is male, also refused to disclose the vulnerabilities that allowed him to hijack webpages.
"But he did admit that he’s hacking into moderators’ accounts and then changing the CSS style of the pages, replacing it with a note taking responsibility," according to Motherboard. "BVM is either phishing passwords out of the mods, or bruteforcing their accounts. Given that Reddit doesn’t have two-factor authentication (2FA), the password of a mod really is the only barrier of entry to a subreddit," using the shorthand for "moderator."
A moderator of r/pics who got hacked by BVM said that his account was breached because of password reuse. In other words, he was using the same password on Reddit and another service that likely was compromised earlier.
Why is BVM hacking these subreddits?
“It’s not like it’s really a challenge or anything so I just do it to pass time,” the hacker told Motherboard in an online chat.
BVM doesn’t really put too much thought into choosing his targets. The hacker said that he either chooses them from the top subreddits according to redditmetrics.com, or uses the site’s option to navigate to a random subreddit.
May 10, 2016
Link to report
More than 70 moderators
location of breach
location of perpetrators
date breach occurred
Late April 2016 and Early May 2016
date breach detected
May 9, 2016 or before