One-Click Account Takeover via Apple Sign-In OAuth Flaw (2022 Bug-Bounty Disclosure)

In 2022 a security researcher reported a critical authentication flaw to Reddit's bug-bounty program on HackerOne (report #1567186, titled 'One-click account hijack for anyone using Apple sign-up to create their account'). The bug allowed an attacker to take over the Reddit account of any user who had registered or logged in using 'Sign in with Apple' — and to do so with only a single click from the victim.

The vulnerability lived in Reddit's implementation of the OAuth authorization flow that underpins social login. In a correctly built OAuth handshake, the 'state' parameter is a per-session, unguessable value that ties the authorization request the user starts to the callback that returns the authorization code, preventing an attacker from injecting their own session into the flow. The researcher found that Reddit's Apple-sign-in flow could be manipulated so that an attacker could prepare a state value from their own browser and then trick a victim into completing a step that handed the attacker the victim's OAuth authorization code or access token. With that code, the attacker could complete the sign-in as the victim and seize full control of the account.

Because the social-login path bypasses the password entirely, an account-takeover of this kind defeats the protections users assume they have: a strong, unique password offers no defense when the attacker never needs it, and the flaw operated at the federated-identity layer rather than at Reddit's credential store. The report was classified at high/critical severity, and Reddit paid a $10,000 bounty — a figure that reflects the breadth of the exposure, since it potentially applied to the entire population of users who had onboarded through Apple.

Reddit's security team worked with the researcher to validate the issue, which included a video proof-of-concept demonstration, and to design and ship an appropriate fix to the OAuth flow before the report was publicly disclosed on HackerOne. There is no public evidence the flaw was exploited in the wild before it was patched; it was found and remediated through the coordinated-disclosure process rather than discovered after an attack.

The episode is notable less for any breach that occurred than for what it reveals about the attack surface of a large social platform. Reddit's confirmed 2018 and 2023 incidents both involved attackers defeating two-factor authentication at the human or SMS layer; this case showed a third class of risk entirely — a logic flaw in the federated-login plumbing that could have compromised accounts en masse without touching a password or a 2FA code at all. It also stands as a documented example of Reddit's bug-bounty program functioning as intended: a high-impact account-takeover vector identified, rewarded, and fixed quietly before it could be weaponized, which is the outcome a responsible-disclosure program exists to produce.