Two months ago, we reported a critical vulnerability on the Yahoo Answers platform that allowed a hacker to delete all the posted thread and comments from Yahoo's Suggestion Board website.
Recently, a similar vulnerability has been reported by another Egyptian security researcher 'Ahmed Aboul-Ela', that allows him to delete any comment from all Yahoo Services, including Yahoo News , Yahoo Sports , Yahoo TV , Yahoo Music , Yahoo Weather, Yahoo Celebrity , Yahoo Voices and more.
HOW TO DELETE ANY COMMENT
When yahoo users comment on any article or post on any of the Yahoo services, they are allowed to delete their own comment anytime. But the reported vulnerability discovered by Ahmed allows them to delete all the comments, even if they are posted by others.
To delete a comment, one can initiate the request by clicking on the delete button and once clicked, the page sends a POST request to the Yahoo server with some variables i.e. comment_id and content_id, where comment_id represents the comment's serial number and content_id represents the article identifier.
To carry out this, an attacker just has to initiate a request to delete his own comment, then needs to tamper the POST request in order to replace his own comment_id parameter value with the value of targeted comment. Once the server will receive this request, it will delete that comment from the database, as it fails to validate user's permissions.
VIDEO DEMONSTRATION
But there is a small dependency here, an attacker can delete comments from a post, only if he is the first to comment on that post.
"The vulnerability will only work if you were the first commenter on the article as you will have a privilege to delete any other yahoo users comments who post comment after you. otherwise it will give you the Authorization Failed error message , so it seems that the developer was taking care of the bug but he just forgot to add the validation when he checks if you are the first commenter." Ahmad explained.
The vulnerability has been fixed by Yahoo Security Team after Ahmad reported them few weeks before.
