Ibrahim Raafat, a security researcher from Egypt, has uncovered a vulnerability in Yahoo! Suggestions that could have been exploited by a malicious actor to delete all 365,000 posts and 1,155,000 comments published by users.According to the expert, he found an Insecure Direct Object Reference Vulnerability (IDORV) on Yahoo’s Suggestions website (suggestions.yahoo.com). The bug could have been leveraged by an attacker to escalate his privileges and gain access to the threads database.
The researcher started by analyzing the POST requests generated when users post or delete comments and topics. In the case of comments, the requests contained an ID parameter whose value was associated with each of the comments posted on the website.
By changing the value of the ID in the POST request, he could delete any comments. In the case of topics, the ID parameter didn’t exist, so the expert added it. The attack worked.
Raafat developed a script that could have allowed him to easily delete all the topics on the website by going through all the ID values.
Raafat reported his findings to Yahoo! and the company addressed the issue within two days. The expert has refused to disclose the amount of money paid out by Yahoo.
If you’re interested in the technical details, check out Ibrahim Raafat blog and the video POC he has published on YouTube.