Ibrahim Raafat found a vulnerability on suggestions.yahoo.com. He stated that anyone can delete millions of records stored in the database with Direct Object Reference Vulnerability.
He said that he found the bug by adding a comment on someone’s post on Yahoo! Suggestions and checking how the request works when deleting his comments. He was able to delete others’ comments, and also add comments using other account.
He reported the bug to Yahoo!, and it has been patched and he got a bounty.
More information about the bug can be found on his blog.
