June 8, 2026
Broken Access Control leads to delete any user’s comment
Hello Raccoonians,
Raccoon
1 min read
Let's head into the bug. There was a program where you can create an organization. I created on and added two users the attacker and the victim. There was a function in the program called "Arguments" where you can create a post but in text and the users can comment and here the bug starts. I wrote two comment one by victim which was "any" and the other by attacker which was "hi".
There was a function to delete only your comment (the user can't delete any comment except his comment), so as victim I deleted my comment and intercepted it and sent it to repeater and then dropped it to not be deleted.
As an attacker I deleted my comment and intercepted it and sent it to repeater and then dropped it to not be deleted.
in every request there was parameters model,instanceId,instancVersion,id and type. I replaced the attacker's request body with the victim's one which means that i added victim's comment id instead of mine. Typically the request must be blocked as i don't have the permission to do that (but i don't care about this). I sent the request and i was surprised that the victim's comment was deleted which was "any" do u remember?
Hope you enjoyed ❤
Don't forget to check my channel