Again Yahoo Spotted by security researchers, from Security Geek discovered the new vulnerability on Yahoo. The vulnerability allowed me to delete any user comments in all these Yahoo sites.This vulnerability affected 90% of Yahoo’s Services, the impact of the vulnerability is high because it could delete millions of comments .
Researcher tried to check the comments section in one of yahoo sites “tv.yahoo.com” he added a comment on an article and found there is an ability to delete that comment .
so he tried to delete the comment while capturing the http request, found that it sent a POST request to the link “https://tv.yahoo.com/_xhr/contentcomments/delete_comment/” with the following params:
comment_id=1399678299182-a7043814-9858-482a-87cd-3448b0892cdd&content_id=485d5605-df95-3569-9456-33882964aea9&crumb=DcUNKWnp7%2F8
The comment_id was the id of my comment, so what goes in my mind directly to check if the developer validate and check well this comment id.
After that he opened a new browser (Chrome) and tried to login with other yahoo account , then wrote a comment on the same topic and then back from (Firefox) i gave thumbs up (rating) for that comment and intercepted the request.
The rating request copied the comment_id of the other yahoo account afterwards he replied back the delete_comment request but replaced comment_id with the comment id of the other yahoo account, and the result was positive to researcher and negative to Yahoo.
Researcher said, "the vulnerability seems to be fixed but how ? yahoo didn’t mention that someone else reported it . so i should try again maybe something was wrong , i visited the old article that i successfully deleted comments from it before and i tried the vulnerability again and guess what !? it workeeeed again"
The vulnerability will only work if you were the first commenter on the article as you will have a privilege to delete any other yahoo users comments who post comment after you.
Otherwise it will give you the Authorization Failed error message , so it seems that the developer was taking care of the bug but he just forgot to add the validation when he checks if you are the first commenter.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
No comments:
Post a Comment