Skip to main content

New Yahoo vulnerability allows anyone to delete posts and comments

A cyber security analyst has discovered yet another vulnerability at Yahoo’s website that this time affects message boards and allows all posted threads and comments to be deleted.

Related: Around 22 million users IDs suspected stolen from Yahoo Japan

The vulnerability exists on and allows hackers to delete anything posted on the site that contains some 365,000 posts as well as 1,115,000 comments.

The Hacker News reports that the problem was discovered by an Egyptian cyber security analyst known as Ibrahim Raafat who found the ‘Insecure Direct Object Reference Vulnerability’ on the site and reported it via his blog, explaining in explicit detail how to exploit it.

Raafat worked out the vulnerability was present when deleting his own comment and finding the HTTP Header of Post request could be edited to delete any comment on the site. The header contained an ‘fid’ that stands for the topic ID and the ‘cid’ that is the comment ID and changing these let Raafat delete comments other than his own.

After doing this he also tested a post deletion mechanism that allowed him to delete topics not posted by him much like he had with comments and Raafat sent a video to Yahoo in order to illustrate the vulnerability.

This is by no means the first time that vulnerabilities in Yahoo’s legion of sites have been discovered and it comes in the wake of the company admitting that it had reset its users’ accounts after hackers had stolen the usernames and passwords.

Related: GCHQ’s pornographic Yahoo! Hack: A disturbing realisation too far?

Before the admission of those passwords being leaked, the company also 450,000 email passwords stolen from users of Yahoo Voices back in 2012 and the latest vulnerability will only further damage confidence in its service.