Yahoo! The 4th most visited website on the Internet has been found vulnerable multiple times, and this time a hacker has claimed to spot a critical vulnerability in the Yahoo! sub-domain 'suggestions.yahoo.com', which could allow an attacker to delete the all the posted thread and comments on Yahoo's Suggestion Board website.



Egyptian Cyber Security Analyst, 'Ibrahim Raafat', found and demonstrated 'Insecure Direct Object Reference Vulnerability' in Yahoo's website on his



Exploiting the flaw escalates the user privileges that allow a hacker to delete more than 365,000 posts and 1,155,000 comments from Yahoo! Database. Technical details of the vulnerability are as explained below:



Deleting Comments: While deleting his own comment, Ibrahim noticed the HTTP Header of POST request, i.e. The 4th most visited website on the Internet has been found vulnerable multiple times, and this time a hacker has claimed to spot a critical vulnerability in the Yahoo! sub-domain '', which could allow an attacker to delete the all the posted thread and comments on Yahoo's Suggestion Board website.Egyptian Cyber Security Analyst, '', found and demonstrated 'Insecure Direct Object Reference Vulnerability' in Yahoo's website on his blog Exploiting the flaw escalates the user privileges that allow a hacker to delete more than 365,000 posts and 1,155,000 comments from. Technical details of the vulnerability are as explained below:While deleting his own comment, Ibrahim noticed the

prop=addressbook& fid=367443 &crumb=Q4 . PSLBfBe . & cid=1236547890 &cmd=delete_comment

fid ' is the topic id and ' cid ' is the respective comment ID. While testing, he found changing the fid and cid parameter values allow him to delete other comments from the forum, that are actually posted by another user.



Deleting Posts: Next, he also tested post deletion mechanism and found a similar loophole in that. A normal HTTP Header POST request of deleting a post is:

POST cmd=delete_item&crumb=SbWqLz . LDP0 Where parameter '' is theand '' is the respective. While testing, he found changing theandparameter values allow him to delete other comments from the forum, that are actually posted by another user.Next, he also tested post deletion mechanism and found a similar loophole in that. A normal

fid

POST cmd=delete_item&crumb=SbWqLz . LDP0& fid=xxxxxxxx





A potential attacker with little knowledge of programming could write an automated script to delete all the comments and posts.

The vulnerability hunter claimed that he had received the Bug Bounty for reporting this security flaw to yahoo and which now has been fixed by the company.

He found that, appending thevariable to the URL allows him to delete the respective post, that was not posted by himself i.e.has reported the flaw to Yahoo Security team and also provided a, as shown below: