Search in HRJ Tricks

Related Posts Plugin for WordPress, Blogger...

Friday, March 7, 2014

Yahoo vulnerability allows Hacker to delete 1.5 million records from Database

Yahoo Vulnerability allows hacker to delete 1.5 million records from Database
Yahoo! The 4th most visited website on the Internet has been found vulnerable multiple times, and this time a hacker has claimed to spot a critical vulnerability in the Yahoo! sub-domain 'suggestions.yahoo.com', which could allow an attacker to delete the all the posted thread and comments on Yahoo's Suggestion Board website...

Egyptian Cyber Security Analyst, 'Ibrahim Raafat', found and demonstrated 'Insecure Direct Object Reference Vulnerability' in Yahoo's website on his blog.

Exploiting the flaw escalates the user privileges that allow a hacker to delete more than 365,000 posts and 1,155,000 comments from Yahoo! Database. Technical details of the vulnerability are as explained below:

Deleting Comments: While deleting his own comment, Ibrahim noticed the HTTP Header of POST request, i.e.
prop=addressbook&fid=367443&crumb=Q4.PSLBfBe.&cid=1236547890&cmd=delete_comment
Where parameter 'fid' is the topic id and 'cid' is the respective comment ID. While testing, he found changing the fid and cid parameter values allow him to delete other comments from the forum, that are actually posted by another user.

Deleting Posts: Next, he also tested post deletion mechanism and found a similar loophole in that. A normal HTTP Header POST request of deleting a post is:
POST cmd=delete_item&crumb=SbWqLz.LDP0
He found that, appending the fid (topic id) variable to the URL allows him to delete the respective post, that was not posted by himself i.e.
POST cmd=delete_item&crumb=SbWqLz.LDP0&fid=xxxxxxxx
Ibrahim has reported the flaw to Yahoo Security team and also provided a Video Demonstration, as shown below:
A potential attacker with little knowledge of programming could write an automated script to delete all the comments and posts.
The vulnerability hunter claimed that he had received the Bug Bounty for reporting this security flaw to yahoo and which now has been fixed by the company.

19 comments:

  1. I blog often and I really appreciate your information. This great article
    has really peaked my interest. I will book mark your
    website and keep checking for new details about once a week.
    I opted in for your Feed too.

    my weblog undercarder

    ReplyDelete
  2. Hi, its good post regarding media print, we
    all know media is a impressive source of facts.

    my site: Thorn TA

    ReplyDelete
  3. I'm really enjoying the theme/design of your site.

    Do you ever run into any browser compatibility issues?
    A number of my blog readers have complained about my site not operating correctly in Explorer but
    looks great in Opera. Do you have any tips to help fix this problem?


    Here is my weblog; Polymer Laboratories Thermal Analysis ()

    ReplyDelete
  4. Heya! I just wanted to ask if you ever have any problems with hackers?
    My last blog (wordpress) was hacked and I ended up losing a few
    months of hard work due to no data backup. Do you have any solutions to protect against hackers?


    Here is my web-site; scientific measuring instruments

    ReplyDelete
  5. Howdy! This is kind of off topic but I need some help from an established blog.

    Is it tough to set up your own blog? I'm not very techincal but
    I can figure things out pretty quick. I'm thinking about making my own but I'm not
    sure where to start. Do you have any tips or suggestions?

    With thanks

    My page ... scientific instruments

    ReplyDelete
  6. I know this if off topic but I'm looking into starting my own blog
    and was wondering what all is needed to get setup? I'm assuming having a blog like yours would cost a pretty penny?
    I'm not very internet savvy so I'm not 100% sure. Any recommendations or advice would be greatly appreciated.

    Thank you

    Take a look at my homepage :: Thorn Thermal Analysis

    ReplyDelete
  7. For latest news you have to visit web and on world-wide-web I found this web page as
    a best website for most up-to-date updates.|

    Look at my webpage program pit 2013 (http://superprogrampit.pl/)

    ReplyDelete
  8. Thank you for the auspicious writeup. It in fact was a amusement account it.

    Look advanced to more added agreeable from you! By the way, how can we communicate?


    My homepage :: how to do kegel exercises for men

    ReplyDelete
  9. Whoa! This blog looks just like my old one!

    It's on a totally different topic but it has pretty much
    the same layout and design. Outstanding choice
    of colors!

    My site: ta

    ReplyDelete
  10. Your main objective iis too travel certin distances and reach goals without
    crashing. Music, art and verbal literature help to reinforce religious andd their social patterns.

    Q: Like you mentioned, 'Day of the Falcon' is set about half a century ago.


    My homepage ...clash of clans hack tool

    ReplyDelete
  11. Havе yoս evеr considered about adding a little ƅіt more than just your articles?
    I mean, what you say is important and everʏthing.
    But imaǥine if you added some great photos or videos to give yoսr posts morе, "pop"!
    Your conteոt is excellent but wіth pics and video clips, this sitе coսld undeniably be one of the
    greatest in its field. Verү good blog!

    Аlso visіt my paցe: Google

    ReplyDelete
  12. ңmm is anyonе else eхperiencing problems wuth the images on this
    blog loading? I'm trying to determine if its a
    proƄlem on my end or if it's the blog. Any feedback would be greatly
    appreciated.

    Also visit my web site Buy Twitter Followers Romney

    ReplyDelete
  13. Hi there i am kavin, its my first time to commenting anyplace, when i read this article i thought i could also make comment due to this
    sensible article.|

    my page; darmowy program pit 2013

    ReplyDelete
  14. Fine way of describing, and fastidious piece of writing to get facts on the
    topic of my presentation focus, which i am going
    to present in school.

    forex edge model review

    ReplyDelete


  15. Feel free to visit my web-site: program pit 2013

    ReplyDelete


  16. Also visit my homepage ... pit 2014 program

    ReplyDelete
  17. Awesome issues here. I'm very glad to look your post.
    Thanks so much and I am taking a look ahead to touch you.
    Will you please drop me a mail?

    forex edge model review

    ReplyDelete
  18. The plays involved with the MMORPG online games can have
    more than 2 players and are required to play as teams.

    As with all other Role Play games, the player lives within a fantasy world in the form of a character
    and is in charge of the characters actions. Trade skills can be obtained from
    a Trade Skills Instructor and allow players to mine ore, smelt
    weapons and collect timber.

    My webpage gry mmo 2d po polsku

    ReplyDelete