YAHOO IDOR -elimination of any comment

Hello everyone, my name is Bernardo and I’m from Chile, this time I bring you a bug (IDOR) that I found in Yahoo that allows you to remove any comments on the website.

I found this vulnerability on a page https: //*, which users commented and evaluated a product from that website, so I started to see the comments and evaluations of users on the website and I found with the next surprise.


Id = my own

id = user

and the surprise appeared the comment of that user was deleted.

my face when this happened

thanks for reading this post

thanks @hackerone
bug bounty yahoo reward
and swag yahoo :D

My data: