Ibrahim Raafat ( @RaafatSEC ) , a Egyptian security researcher identified an vulnerability which could have potentially deleted more than 1.5 million records form its database. He further demonstrated ‘Insecure Direct Object Reference Vulnerability’ on his blog which appeared to have been fixed by Yahoo.
He performed the demo with his account. The vulnerability escalated the users privilege to delete the tables of topics, comments in the database, allowing the user to delete any topic or comment on Yahoo. Currently there is more than 1,155,000 comments and 365,000 Posts which potentially was in risk.
Ibrahim further explains how attack can be performed
As first step he added comment on a random post. Later he found that he can delete his comment which is allowed by Yahoo. Hence he analyzed Live HTTP Headers to understand how traffic flows when his own comment is deleted.
POST Request
prop=addressbook&fid=367443&crumb=Q4.PSLBfBe.&cid=1236547890&cmd=delete_comment
It consists of 5 parameters as stated below
prop= category
fid= topic id
crumb = something like session
cid = Comment id
cmd= the method
Later in another browser , he signed in with another account and posted the comment,
He changed the fid and cid parameter values which allowed him to delete other comments from the forum, that were posted by another user. Bingo !
He tried the same for topicdeletion and it worked :
POST cmd=delete_item&crumb=SbWqLz.LDP0 ( Without changes )
POST cmd=delete_item&crumb=SbWqLz.LDP0&fid=xxxxxxxx ( After the attack)
With a loop statement yahoo would have lost 1.5 million records if exploited. Yahoo must be grateful to Ibrahim for this amazing finding and hope Yahoo’s conservative Mayer gives a big bounty to Ibrahim’s hard work.
Video of the attack is available here :