Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Serious Flaw in Yahoo Websites allows attackers to delete any comment

The Egyptian security researcher Ahmed Aboul-Ela has discovered a vulnerability which allowed deleting comments of any user in all Yahoo sites. A couple of days ago I was contacted by the Egyptian security researcher Ahmed Aboul-Ela which informed me to have disclosed a vulnerability in Yahoo websites which allow attackers to delete any comment from all Yahoo Services, […]

Serious Flaw in Yahoo Websites allows attackers to delete any comment

The Egyptian security researcher Ahmed Aboul-Ela has discovered a vulnerability which allowed deleting comments of any user in all Yahoo sites.

A couple of days ago I was contacted by the Egyptian security researcher Ahmed Aboul-Ela which informed me to have disclosed a vulnerability in Yahoo websites which allow attackers to delete any comment from all Yahoo Services, including Yahoo Celebrity, Yahoo Music, Yahoo News , Yahoo Sports , Yahoo TV , Yahoo Voices, Yahoo Weather and many others.

Immediately the vulnerability reminded me a similar flaw discovered in the past months in the Yahoo Answers system, in that case the Egyptian security expert Ibrahim Raafat discovered a “Insecure Direct Object Reference Vulnerability” in the Yahoo! sub-domain (suggestions.yahoo.com) which allowed him to delete all the posted thread and comments on Yahoo’s Suggestion Board website.

Let’s see how Ahmed Aboul-Ela how has found the critical flaw.  If Yahoo users comment an article or post content on any of the Yahoo services, they are always able to delete their contributions, comments and posts, anytime.

The researchers observed the behavior for deletion of his own post, he took note of the POST request sent by clicking on the delete button.

The “delete” POST request includes different variables like comment_id and content_id, where comment_id represents the comment’s serial number and content_id represents the article identifier.

Manipulating the above parameter the attacker is able to delete any other comment, even if created by other users, simply replace his own comment_id parameter value with the value of targeted comment.

.
yahoo comments deletion 1
The researcher made many other attempts and he noted that content deletion was not always possible, he verifies that an attacker can delete comments from a post, only if he is the first to comment on that post.
In this case the POST request retrieves as result the following error message:
error:{“description”:”Authorization Failed”,”detail”:{“content”:[“The user does not have permissions to edit the comment”]}
The vulnerability will only work if you were the first commenter on the article as you will have a privilege to delete any other yahoo users comments who post comment after you. otherwise it will give you the Authorization Failed error message , so it seems that the developer was taking care of the bug but he just forgot to add the validation when he checks if you are the first commenter.” Ahmed explained.

 

yahoo comments 3

 

Below a video Proof of Concept published by the Egyptian researcher:

 

The vulnerability has been already fixed by Yahoo Security Team after a few weeks Ahmed Aboul-Ela ethically reported it.

Ahmed Aboul-Ela (@aboul3la) is an Egyptian security researcher. Acknowledged by Google, Microsoft , Yahoo ,Apple, Ebay, Adobe, Redhat, Nokia for for reporting various vulnerabilities in their applications

Pierluigi Paganini

(Security Affairs –  Yahoo, Hacking)