A hidden admin backdoor in Reddit ads was discovered by security researchers, enabling malicious admin to create undetectable ghost accounts that even the owner could not see, remove or control within an organisation.
The flaw shows how user roles and invitation logic can collide, leading to a stealth takeover.
Reddit’s ad platform allows admins to invite users and assign them roles such as admin, analyst or none, but the system failed to handle multiple invitations for the same user.
This meant that inviting a user as an admin and later inviting them as an analyst, would result in them keeping admin privileges, thereby allowing the invitation to be passed between parties an infinite number of times for illicit means.
The issue was reported to Reddit in November 2019, but was unresolved at the time of publication.