How to delete 1,500,000 entries from Yahoo database

On the fourth most visited site, Yahoo.com, another vulnerability was discovered, this time on the sub-domain of suggestions.yahoo.com . This vulnerability allows an attacker to delete the entire ribbon of the Yahoo Suggestion Board, as well as all comments to it.




Ibrahim Raafat (Ibrahim Raafat), an information security specialist, discovered an insecure direct link to object vulnerability on one of the subdomains of the Yahoo site. Taking advantage of the user privilege vulnerability, an attacker could delete more than 365,000 messages and 1,155,000 comments from the database in the proposal section for improving the Yahoo site.
')

Technical details

In the process of deleting his comment, Ibrahim drew attention to the HTTP header. The POST request was as follows:

prop=addressbook&fid=367443&crumb=Q4.PSLBfBe.&cid=1236547890&cmd=delete_comment 

Where the parameter ' fid ' is the ID of the topic, and ' cid ' is the comment ID. It turned out that changing the values ​​of the ID of the topic and the comment allows you to delete the corresponding comment written by another user.

Further, the mechanism for removing the topic was tested, in consequence of which a similar loophole was found. The HTTP header for the topic delete request looks like this:

 POST cmd=delete_item&crumb=SbWqLz.LDP0 

It turned out that adding a fid (topic ID) to a variable in a URL allows you to delete posts written by another author. For example:

 POST cmd=delete_item&crumb=SbWqLz.LDP0&fid=xxxxxxxx 

Thus, any unfriendly programmer could write a script that would lead to the removal of all sentences and comments to them. The vulnerability was reported to the security department of Yahoo, at the moment its proxy.