News

Published on May 25th, 2014 📆 | 2352 Views ⚑

0

Vulnerability allowed deleting comments of any user in all Yahoo sites


iSpeech.org

Recently, a vulnerability has been reported by an Egyptian security researcher 'Ahmed Aboul-Ela', that allows him to delete any comment from all Yahoo Services, including Yahoo News , Yahoo Sports , Yahoo TV , Yahoo Music , Yahoo Weather, Yahoo Celebrity , Yahoo Voices and more.
When yahoo users comment on any article or post on any of the Yahoo services, they are allowed to delete their own comment anytime. But the reported vulnerability discovered by Ahmed allows them to delete all the comments, even if they are posted by others.
Vulnerability in Yahoo Website Allows Hackers to Delete Any Comment
To delete a comment, one can initiate the request by clicking on the delete button and once clicked, the page sends a POST request to the Yahoo server with some variables i.e. comment_id and content_id, where comment_id represents the comment's serial number and content_id represents the article identifier.
[adsense size='1']
To carry out this, an attacker just has to initiate a request to delete his own comment, then needs to tamper the POST request in order to replace his own comment_id parameter value with the value of targeted comment. Once the server will receive this request, it will delete that comment from the database, as it fails to validate user’s permissions.
VIDEO DEMONSTRATION


But there is a small dependency here, an attacker can delete comments from a post, only if he is the first to comment on that post.
"The vulnerability will only work if you were the first commenter on the article as you will have a privilege to delete any other yahoo users comments who post comment after you. otherwise it will give you the Authorization Failed error message , so it seems that the developer was taking care of the bug but he just forgot to add the validation when he checks if you are the first commenter." Ahmad explained.
The vulnerability has been fixed by Yahoo Security Team after Ahmad reported them few weeks before.

Tagged with:



Leave a Reply

Your email address will not be published.