SECURITY GEEK

Random ramblings in Infosec

One Vulnerability allowed deleting comments of any user in all Yahoo sites

Hello all hatj

today i’m going to write about a strange and critical vulnerability that affected 90% of Yahoo’s Services such as:

Yahoo News , Yahoo Sports , Yahoo TV , Yahoo Music , Yahoo Weather, Yahoo Celebrity , Yahoo Voices and more .

the vulnerability allowed me to delete any user comments in all these Yahoo sites.
the impact of the vulnerability is high because it could delete millions of comments .

Example for a single article with 12565 comments !

yahoo comments

the story started  when i tried to check the comments section in one of yahoo sites “tv.yahoo.com” i added a comment on an article and i found there is an ability to delete that comment . so i tried to delete the comment while capturing the http request ,  i found that it sent a POST request to the link “https://tv.yahoo.com/_xhr/contentcomments/delete_comment/” with the following params:

comment_id=1399678299182-a7043814-9858-482a-87cd-3448b0892cdd&content_id=485d5605-df95-3569-9456-33882964aea9&crumb=DcUNKWnp7%2F8

the comment_id was the id of my comment, so what goes in my mind directly to check if the developer validate and check well this comment id , i decided to play with it so i opened a new browser (Chrome) and tried to login with other yahoo account , then i wrote a comment on the same topic and then back from (Firefox) i gave thumbs up (rating) for that comment and intercepted the request.

from the rating request i copied the comment_id of the other yahoo account afterwards i replied back the delete_comment request but i replaced my comment_id with the comment id of the other yahoo account, and the result was BOOOM !

yahoo comments1

a JSON response with 200 status code which indicates that the comment have been delete Successfully !

success

i didn’t believe my eyes that a such vulnerability could affect a main yahoo website , so i reported directly the vulnerability to Yahoo .
but unfortunately i got this response from the Yahoo security team!

yahoo-response

i was shocked at first , so i tried to check again if the vulnerability still working. i visited a new article and tried to reproduce the bug again with the same steps as before , but suddenly the result was like the following !!

yahoo comments2

error”:{“description”:”Authorization Failed”,”detail”:{“content”:[“The user does not have permissions to edit the comment”]}

oh no !

cry

the vulnerability seems to be fixed :( but how ? yahoo didn’t mention that someone else reported it . so i should try again maybe something was wrong , i visited the old article that i successfully deleted comments from it before and i tried the vulnerability again and guess what !? it workeeeed again :D

i was surprised and wondering why it worked in that topic and failed in the other one while it’s the same domain and application , so i tried to investigate more and after deep research i finally found the trick which was:

the vulnerability will only work if you were the first commenter on the article as  you will have a privilege to delete any other yahoo users comments who post comment after you. otherwise it will give you the Authorization Failed error message , so it seems that the developer was taking care of the bug but he just forgot to add the validation when he checks if you are the first commenter.

finally i explained to yahoo the case and they have confirmed the bug and now it’s FIXED :).

for more info kindly see the following POC video

     Thanks to Yahoo Security Team for releasing a fast fix for the Vulnerability

15 Comments

Post a comment

  • Human Verification*:
  •