Yahoo vulnerability could have allowed Hacker to delete more than 1.5 million records

yahoo-hackedIbrahim Raafat ( @RaafatSEC ) , a Egyptian security researcher identified an vulnerability which could have potentially deleted more than 1.5 million records form its database. He further demonstrated ‘Insecure Direct Object Reference Vulnerability’ on his blog which appeared to have been fixed by Yahoo.

He performed the demo with his account. The vulnerability escalated the users privilege to delete the tables of topics, comments in the database, allowing the user to delete any topic or comment on Yahoo. Currently there is more than 1,155,000 comments and 365,000 Posts which potentially was in risk.

Ibrahim further explains how attack can be performed

As first step he added comment on a random post. Later he found that he can delete his comment which is allowed by Yahoo. Hence he analyzed  Live HTTP Headers to understand how traffic flows when his own comment is deleted.

POST Request


It consists of 5 parameters as stated below

prop= category
fid= topic id
crumb = something like session
cid = Comment id
cmd= the method

Later in another browser , he signed in with another account and posted the comment,

He changed the fid and cid parameter values which allowed him to delete other comments from the forum, that were posted by another user. Bingo !

He tried the same for topicdeletion and it worked :

POST cmd=delete_item&crumb=SbWqLz.LDP0 ( Without changes ) 

POST cmd=delete_item&crumb=SbWqLz.LDP0&fid=xxxxxxxx ( After the attack)

With a loop statement yahoo would have lost 1.5 million records if exploited. Yahoo must be grateful to Ibrahim for this amazing finding and hope Yahoo’s conservative Mayer gives a big bounty to Ibrahim’s hard work.

Video of the attack is available here :

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>