Security vulnerability in Yahoo allows
Hacker to delete 1.5 million recordsfrom Database
A security researcher named
“Ibrahim Raafat” have found the
“Insecure Direct Object Reference
Vulnerability” in the
suggestions.yahoo.com and the
security researcher have found that
he is able to delete more then
1,500,000 records from the yahoo’s
database.
This vulnerability has been reported
to the yahoo and yahoo have patched
the same vulnerability. As said by the
security researcher have claimed that
he got bounty for reporting the
vulnerability to the yahoo!
You can learn more about the Bug
Bounty Program .
How the attacker have found this
vulnerability ?
Actually he have deleted the comment
and then he have observed the
behavior of the URL and using the
same URL and using the different
comment ID the security researcher
was able to delete other’s comments
too! that was the very first web
application security vulnerability!
He also have added the new topic in
the discussion using another yahoo
account and he was also able to
delete that discussion topic too! using
the other yahoo account!
To know more technical details about
this vulnerability you can visit the
security researcher's blog.
Any programmer having simple
knowledge of programming can
delete the whole database of the
yahoo.
No comments:
Post a Comment