Serious Flaw in Yahoo Websites allows attackers to delete any comment

Pierluigi Paganini May 25, 2014

The Egyptian security researcher Ahmed Aboul-Ela has discovered a vulnerability which allowed deleting comments of any user in all Yahoo sites.

A couple of days ago I was contacted by the Egyptian security researcher Ahmed Aboul-Ela which informed me to have disclosed a vulnerability in Yahoo websites which allow attackers to delete any comment from all Yahoo Services, including Yahoo Celebrity, Yahoo Music, Yahoo News , Yahoo Sports , Yahoo TV , Yahoo Voices, Yahoo Weather and many others.

Immediately the vulnerability reminded me a similar flaw discovered in the past months in the Yahoo Answers system, in that case the Egyptian security expert Ibrahim Raafat discovered a “Insecure Direct Object Reference Vulnerability” in the Yahoo! sub-domain (suggestions.yahoo.com) which allowed him to delete all the posted thread and comments on Yahoo’s Suggestion Board website.

Let’s see how Ahmed Aboul-Ela how has found the critical flaw.  If Yahoo users comment an article or post content on any of the Yahoo services, they are always able to delete their contributions, comments and posts, anytime.

The researchers observed the behavior for deletion of his own post, he took note of the POST request sent by clicking on the delete button.

The “delete” POST request includes different variables like comment_id and content_id, where comment_id represents the comment’s serial number and content_id represents the article identifier.

Manipulating the above parameter the attacker is able to delete any other comment, even if created by other users, simply replace his own comment_id parameter value with the value of targeted comment.

.
yahoo comments deletion 1
The researcher made many other attempts and he noted that content deletion was not always possible, he verifies that an attacker can delete comments from a post, only if he is the first to comment on that post.
In this case the POST request retrieves as result the following error message:
error:{“description”:”Authorization Failed”,”detail”:{“content”:[“The user does not have permissions to edit the comment”]}
The vulnerability will only work if you were the first commenter on the article as you will have a privilege to delete any other yahoo users comments who post comment after you. otherwise it will give you the Authorization Failed error message , so it seems that the developer was taking care of the bug but he just forgot to add the validation when he checks if you are the first commenter.” Ahmed explained.

 

yahoo comments 3

 

Below a video Proof of Concept published by the Egyptian researcher:

 

The vulnerability has been already fixed by Yahoo Security Team after a few weeks Ahmed Aboul-Ela ethically reported it.

Ahmed Aboul-Ela (@aboul3la) is an Egyptian security researcher. Acknowledged by Google, Microsoft , Yahoo ,Apple, Ebay, Adobe, Redhat, Nokia for for reporting various vulnerabilities in their applications

Pierluigi Paganini

(Security Affairs –  Yahoo, Hacking)



you might also like

leave a comment