Vulnerability in Yahoo Allows hacker to Delete any Comments

After the multiple vulnerabilities reported on the eBay site, now security researchers are expanding their research and continuing their hunting. Last month many researchers have reported the vulnerability of the Yahoo team in respect of its bounty program.

Recently Egyptian security researcher 'Ahmed Aboul-Ela' has reported a vulnerability to Yahoo that allows him to delete any comment from 90 percent of Yahoo services which includes Yahoo News, Yahoo Sports, Yahoo TV, Yahoo Music, Yahoo Weather, Yahoo Celebrity, Yahoo Voices, and more.
When a user comments on any of the posts of the yahoo service, they are allowed to delete their own comments. But the Vulnerability reported by Ahmed is something different to it. Ahmed's Vulnerability, allows him to delete any of the comments that are posted by others also.

What Happens While Deleting Comments?

When a user deletes its comments then a page sends a POST request to Yahoo Server with some variables i.e comment_id and content_id, where comment_id represents the comment's serial number and content_id represents the article identifier.


So to carry out the process users just have to click on the Delete button beside their comments. The attacker has tampered with the POST request and made changes with the variables of Parameter i.e comment_id and content_id.  The attacker has replaced the value of the comment_id parameter with other comments id (targeted comments). Once the server receives the request for deletion, it deletes the comments from the database without validating the user's permission.

This vulnerability has one demerit, that the vulnerability only works when the attackers are the first person to comment on the post.

"The vulnerability will only work if you were the first commenter on the article as you will have a privilege to delete any other yahoo users comments who post comment after you. otherwise it will give you the Authorization Failed error message , so it seems that the developer was taking care of the bug but he just forgot to add the validation when he checks if you are the first commenter." Ahmad explained.