Vulnerability in Yahoo allowed me to delete more than 1 million and half records from Yahoo database
Critical vulnerability in Yahoo allow the attacker to delete more than 1,500,000 records from Yahoo Database
The vulnerability reported and patched, No data deleted
Today i will write about an Insecure Direct Object Reference Vulnerability i found in Yahoo Suggestions Board suggestions.yahoo.com
This vulnerability escalated my privilege to empty the tables of topics,comments in the database, I was able to delete any topic or comment
Comments: 1,155,000
Posts: More than 365,000 Posts
I reported a lot of vulnerabilities to Yahoo and got some gifts like T-shirt, Mug, Mouse, etc..
But when they announced that they will release the Bug bounty program, i decided to find some vulnerabilities into Yahoo websites again
I started testing Suggestions.Yahoo.com,
It’s something like Yahoo answers, Users send questions and receive the answers
Firstly i added comment to post of someone
I found that i can delete my comment, so i opened Live HTTP Headers to check what happens when i delete my comment,
POST Request
prop=addressbook&fid=367443&crumb=Q4.PSLBfBe.&cid=1236547890&cmd=delete_comment
There were 5 parameters
prop= category
fid= topic id
crumb = something like session
cid = Comment id
cmd= the method
I opened another browser, signed in with another account and posted other comment,
Then, i got the id and changed it in the post request and replayed it again via Live HTTP Headers, the comment of the other account deleted successfully
First Vulnerability
Then moved to suggestions topics, I added a new topic and found also that i have the ability to delete my post so, when i deleted it, i captured the request But, it was like this
POST cmd=delete_item&crumb=SbWqLz.LDP0
mmmmmm, the POST Request is not like the previous one, when i deleted comments of the others i changed the comment id to the one i want to delete But here there is no id to change
I guess that the developer forgot to add it 🙂 ,Simply i added topic parameter to the request to be like this
POST cmd=delete_item&crumb=SbWqLz.LDP0&fid=xxxxxxxx
I replayed the request again, and the topic deleted successfully
I was able also to write comments by using Yahoo users accounts
It was easy to write script to delete all the topics from id number 1 to the last one,
I thought what about if a black hat hacker got this one, He would delete 1,500,000 records entered by Yahoo users
The Vulnerability fixed and received the Bounty from 2 days, It was easy to find
Here is a video for more details
Quote of the day
There are a lot of Quotes all over the world, Some of them change our lives and the others change the SQL Query result
Ibrahim Raafat
./Done
Nicely done 😉
@Iñaki
Thankssss 😉
I am interested in the amount they paid for this, if you have no problem with that!
@whatever
Guess …
Good job!
Pingback: Yahoo vulnerability allows Hacker to delete 1.5 million records from Database | DigitalMunition
Pingback: Yahoo vulnerability allows Hacker to delete records from Database
Pingback: Critical flaw in Yahoo allows Hacker to delete 1.5M records
Pingback: Yahoo vulnerability allows Hacker to delete 1.5 million records from Database | LaRealidadEquivocada
Pingback: Yahoo vulnerability allows 1,5 million records to delete from database - SECURITY INFORM (Beta)
Pingback: Lỗ hổng mới của Yahoo cho phép hacker xóa 1.5 triệu bản ghi trong cơ sở dữ liệu : Security Daily
Pingback: Yahoo vulnerability allows Hacker to delete 1.5 million records from Database - Trade Basics
More Than Amazing (Y)
More Than Amazing (Y) You Are Awesome ^_^
Pingback: Your Weekly Security Wrap-Up: Yahoo, Sears, YouTube & More - Checkmarx
Awesome man (Y) Thumbs up!
Pingback: Yahoo vulnerability could have allowed Hacker to delete more than 1.5 million records | Mobile Security Threat
Good work Ibrahim !
good job.. sir
Pingback: Code Lion | Vulnérabilité critique Yahoo Suggestion
Pingback: Flaw in Yahoo! Suggestions Allowed Hackers to Delete 1.5 Million Posts and Comments | Cyber Security Infotech(P) Ltd
Pingback: Un Hacker borro 1,5 millones de posts y comentarios en Yahoo! Sugerencias | Hackerss
Pingback: Un Hacker pudo haber borrado 1,5 millones de posts y comentarios en Yahoo! Sugerencias | Hackerss
Pingback: Tutkija: ”Olisin voinut tuhota 1,5 miljoonaa Yahoo-viestiä” | Tietokone Knowledge
Thanks all
Pingback: Yahoo!, una grave vulnerabilità mette(va) a rischio un intero sito
رائع يا رأفت باشاااااااااااا
بقولك اية يا ريس متيجي تعمل شركة آمان
Pingback: Κενό ασφάλειας στο Yahoo! Suggestions επιτρέπει την διαγραφή 1.5 εκατομμυρίων posts και comments
Currently some people on yahoo are able to hide comments made by others. also they appear to be able to stop you posting a lead comment. meaning you can only reply to threads already present and stopping you starting a new thread. Do you know how they are doing this.
Pingback: Yahoo vulnerability allows Hacker to delete 1.5 million records from Database | My great WordPress blog
Heya i am for the first time here. I came across this
board and I in finding It truly useful & it helped me out
much. I am hoping to provide one thing back and help others
such as you aided me.