Egyptian Cyber Security Analyst, ‘Ibrahim Raafat‘, found and demonstrated ‘Insecure Direct Object Reference Vulnerability’ in Yahoo’s website on his blog.
Exploiting the flaw escalates the user privileges that allow a hacker to delete more than 365,000 posts and 1,155,000 comments from Yahoo! Database. Technical details of the vulnerability are as explained below:
Deleting Comments: While deleting his own comment, Ibrahim noticed the HTTP Header of POST request, i.e.
Deleting Posts: Next, he also tested post deletion mechanism and found a similar loophole in that. A normal HTTP Header POST request of deleting a post is:
He found that, appending the fid (topic id) variable to the URL allows him to delete the respective post, that was not posted by himself i.e.
Ibrahim has reported the flaw to Yahoo Security team and also provided a Video Demonstration, as shown below: