Hello everyone, my name is Bernardo and I’m from Chile, this time I bring you a bug (IDOR) that I found in Yahoo that allows you to remove any comments on the website.
I found this vulnerability on a page https: //*.yahoo.com, which users commented and evaluated a product from that website, so I started to see the comments and evaluations of users on the website and I found with the next surprise.
POC
Id = my own
id = user
and the surprise appeared the comment of that user was deleted.
my face when this happened
thanks for reading this post
thanks HackerOne
bug bounty yahoo reward
and swag yahoo :D
My data: https://twitter.com/bada_77