YAHOO IDOR -elimination of any comment

Aug 17, 2018 · 2 min read

Hello everyone, my name is Bernardo and I’m from Chile, this time I bring you a bug (IDOR) that I found in Yahoo that allows you to remove any comments on the website.

I found this vulnerability on a page https: //*, which users commented and evaluated a product from that website, so I started to see the comments and evaluations of users on the website and I found with the next surprise.


Id = my own

id = user

and the surprise appeared the comment of that user was deleted.

my face when this happened

thanks for reading this post

thanks HackerOne
bug bounty yahoo reward
and swag yahoo :D

My data:

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store