Yahoo, it seems, just can’t do anything right when it comes to winning friends in the security industry.
First, they came up with a bonkers scheme for recycling old email addresses – not apparently realising that the danger of identity theft to which it was exposing the original account holders.
Next, Yahoo CEO Marissa Mayer showed she didn’t even have time to tap four digits, and admitted she doesn’t bother to have even a simple security passcode on her iPhone.
And now, it’s been revealed that it takes its users’ security with such disregard that it “rewards” researchers who find vulnerabilities with a paltry $12.50 bounty… which can only be spent in Yahoo’s Company Store.
That’s what just happened to the researchers at High-Tech Bridge recently.
On Monday 23rd September, the researchers informed Yahoo’s Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.
According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email.
48 hours later, Yahoo’s security team responded, thanking the researchers and offering the mighty bounty of err.. $12.50 per vulnerability. But there was a catch, the researchers were limited as to how they could spend their riches.
This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate t-shirts, cups, pens and other accessories. At this point, the High-Tech Bridge team decided to hold off on any further research for Yahoo.
Ilia Kolochenko, the CEO of High-Tech Bridge, summed up the situation pretty well:
“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.”
Of course, money (and t-shirts) shouldn’t be the only motivation for reporting a security vulnerability. But such a risible reward is unlikely to win Yahoo any friends and could – if anything – make it less likely that the site will gain the assistance of white-hats in future.
Yahoo has now patched all of the vulnerabilities reported by High-Tech Bridge.
Great, now Yahoo is a target for blackhats. Since whitehats
can't get anything for finding bugs, the bugs will remain.
If someone finds a bug, it'll be more valuable to someone
who trades exploits.
I completely agree. Sacrificing security for measly thousands of dollars in the short run is going to affect customer credibility and business in the long run.
Ok, 12.50 sounds lousy, and it pretty much is….. BUT, most companies reward with ZERO, nada, ziltch, the big goose egg…
I'd be happy to get the 12.50….
I'd buy the socks…. and I'd keep them right along side my other cherished pair of socks… My SOPHOS socks that were handed out as swag oh so many MANY years ago! :-)
LOL, yah, I'm an old timer in these here parts! ;-)
Mike B
I'm pretty sure it was Dr Solomon's/S&S International that gave away the socks, not Sophos. :)
I was quite possibly one of the people throwing them out…
The researchers should purchase the shirt with
"Yahoo!" on it, and then have words added so that
the end result says: "I discovered a major vulnerability
on Yahoo! and all I got was this crummy T-shirt!"
Should I get the socks or the baseball cap? Too much choice
:(
I also found a Bug on Yahoo and received $25. Slightly
Disappointed with the reward but being fair it's better
than getting nothing.
http://makthepla.net/blog/=/yahoo-bug-bounty
Google offers upwards of 50k per exploit… I have lost all respect for Yahoo, and will be deleting my account today.
(I work in IT/Network Sec, and this is insulting)
Actually you got ripped off since a black hat would have paid you way more. Hence the issue. It's now more valuable to sell the vuln to someone else than it is to help Yahoo fix their site.
Nothing like a little blackmail to get you through the day.
Marissa Mayers…interesting subject. As child, she did not
associate with her peers: she was the dreaded TEACHER'S
PET. Looking down on all the "children" she was
forced to sit with during class hours, but only spent time with the
teachers. Look at Yahoo! home page. it looks like it was conceived
by someone that thinks we all are National Inquirer readers
(looking down on the potential customers), and can make a killing
by reducing it's contents to the lowest common
denominator. Tells her internet users about this spiffy, wonderful
new Yahoo! inbox we can all try…same one they rolled passed us
before she was given an obscene salary to take over…we did not
want it. So, of course, Mayer FORCED the issue, gave the customer
NO CHOICE (as you do children), and converted us all one day. Now I
am a Hushmail user.
Any info on the actual exploits? Isn't this a tech blog?
al you reported was an xss which is not as serious as the
multiple sql injections ive found on yahoo subdomains. stop crying
about such a low bounty, had you properly researched this before
reporting aforementioned flaws you would have known before
hand.
I must be old: it appears I am the only one who remembers
the comedian "Yahoo serious"; this faux pas by
Yahoo has got to earn them either the previously mentioned T-shirt
(good call on that one too) or at least a pun on the name
"Yahoo serious" for old folks like me
:-)
Personally I would have started negotiating the reward
before releasing details of the find. MAYBE if I had multiple finds
give them just one so that I have my foot in the door, but I
wouldn't give them any more for a discount on a product I
don't even want. I want an agreement set in stone as far
as the payment for my time and work first.
oh yes xnite, thats the best way to approach a situation such as this, tell them youve found flaws in their system but you wont release until after negotiating a reward. youre basically telling them check your logs and find the vuln without my help. but then again a wannabe like you whom has been raided and swatted numerous times would know exactly what to do in this situation right?
Well, I have reconsidered my thought process there. Honestly the reward doesn't matter, but if a company is going to offer a reward for a find, don't insult them with a shitty gift-card which is limited to their products & provides *maybe* enough for a t-shirt.
Also:
Wannabe? No, I don't brag about stuff I'm not, I follow my interests and learn along the way. No harm in that right? :)
Raided? What for? I don't do anything which would get me arrested. I simply blog about current events and things going on in my life. Nothing wrong with that right? Since when has that been illegal? OMG I should be put on the electric chair because I talk about stuff and people read it!
SWAT'd? Sure I've been, but I barely see how that is relevant here.
Maybe you should keep the snarky comments to yourself since you obviously don't know enough about me to make any valid point. However, I'll at least admit I changed my thought process on this partially due to your comment, and partially due to looking back on mine & thinking it sounds kind of silly what I said before.