Serious Yahoo bug discovered. Researchers rewarded with $12.50 voucher to buy corporate T-shirt

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Yahoo T-shirtYahoo, it seems, just can’t do anything right when it comes to winning friends in the security industry.

First, they came up with a bonkers scheme for recycling old email addresses – not apparently realising that the danger of identity theft to which it was exposing the original account holders.

Next, Yahoo CEO Marissa Mayer showed she didn’t even have time to tap four digits, and admitted she doesn’t bother to have even a simple security passcode on her iPhone.

And now, it’s been revealed that it takes its users’ security with such disregard that it “rewards” researchers who find vulnerabilities with a paltry $12.50 bounty… which can only be spent in Yahoo’s Company Store.

Sign up to our free newsletter.
Security news, advice, and tips.

That’s what just happened to the researchers at High-Tech Bridge recently.

On Monday 23rd September, the researchers informed Yahoo’s Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.

According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email.

48 hours later, Yahoo’s security team responded, thanking the researchers and offering the mighty bounty of err.. $12.50 per vulnerability. But there was a catch, the researchers were limited as to how they could spend their riches.

This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate t-shirts, cups, pens and other accessories. At this point, the High-Tech Bridge team decided to hold off on any further research for Yahoo.

Yahoo Store

Ilia Kolochenko, the CEO of High-Tech Bridge, summed up the situation pretty well:

“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.”

Of course, money (and t-shirts) shouldn’t be the only motivation for reporting a security vulnerability. But such a risible reward is unlikely to win Yahoo any friends and could – if anything – make it less likely that the site will gain the assistance of white-hats in future.

Yahoo has now patched all of the vulnerabilities reported by High-Tech Bridge.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

17 comments on “Serious Yahoo bug discovered. Researchers rewarded with $12.50 voucher to buy corporate T-shirt”

  1. john

    Great, now Yahoo is a target for blackhats. Since whitehats
    can't get anything for finding bugs, the bugs will remain.
    If someone finds a bug, it'll be more valuable to someone
    who trades exploits.

    1. Karthik · in reply to john

      I completely agree. Sacrificing security for measly thousands of dollars in the short run is going to affect customer credibility and business in the long run.

    2. Mike B · in reply to john

      Ok, 12.50 sounds lousy, and it pretty much is….. BUT, most companies reward with ZERO, nada, ziltch, the big goose egg…
      I'd be happy to get the 12.50….

      I'd buy the socks…. and I'd keep them right along side my other cherished pair of socks… My SOPHOS socks that were handed out as swag oh so many MANY years ago! :-)

      LOL, yah, I'm an old timer in these here parts! ;-)

      Mike B

      1. Graham CluleyGraham Cluley · in reply to Mike B

        I'm pretty sure it was Dr Solomon's/S&S International that gave away the socks, not Sophos. :)

        I was quite possibly one of the people throwing them out…

  2. The researchers should purchase the shirt with
    "Yahoo!" on it, and then have words added so that
    the end result says: "I discovered a major vulnerability
    on Yahoo! and all I got was this crummy T-shirt!"

  3. Lul

    Should I get the socks or the baseball cap? Too much choice
    :(

  4. I also found a Bug on Yahoo and received $25. Slightly
    Disappointed with the reward but being fair it's better
    than getting nothing.
    http://makthepla.net/blog/=/yahoo-bug-bounty

    1. Austin S. · in reply to Ciaran McNally

      Google offers upwards of 50k per exploit… I have lost all respect for Yahoo, and will be deleting my account today.

      (I work in IT/Network Sec, and this is insulting)

    2. J · in reply to Ciaran McNally

      Actually you got ripped off since a black hat would have paid you way more. Hence the issue. It's now more valuable to sell the vuln to someone else than it is to help Yahoo fix their site.

      1. Eric · in reply to J

        Nothing like a little blackmail to get you through the day.

  5. farang

    Marissa Mayers…interesting subject. As child, she did not
    associate with her peers: she was the dreaded TEACHER'S
    PET. Looking down on all the "children" she was
    forced to sit with during class hours, but only spent time with the
    teachers. Look at Yahoo! home page. it looks like it was conceived
    by someone that thinks we all are National Inquirer readers
    (looking down on the potential customers), and can make a killing
    by reducing it's contents to the lowest common
    denominator. Tells her internet users about this spiffy, wonderful
    new Yahoo! inbox we can all try…same one they rolled passed us
    before she was given an obscene salary to take over…we did not
    want it. So, of course, Mayer FORCED the issue, gave the customer
    NO CHOICE (as you do children), and converted us all one day. Now I
    am a Hushmail user.

  6. Mat

    Any info on the actual exploits? Isn't this a tech blog?

  7. nobody

    al you reported was an xss which is not as serious as the
    multiple sql injections ive found on yahoo subdomains. stop crying
    about such a low bounty, had you properly researched this before
    reporting aforementioned flaws you would have known before
    hand.

  8. Campbell Milton

    I must be old: it appears I am the only one who remembers
    the comedian "Yahoo serious"; this faux pas by
    Yahoo has got to earn them either the previously mentioned T-shirt
    (good call on that one too) or at least a pun on the name
    "Yahoo serious" for old folks like me
    :-)

  9. Personally I would have started negotiating the reward
    before releasing details of the find. MAYBE if I had multiple finds
    give them just one so that I have my foot in the door, but I
    wouldn't give them any more for a discount on a product I
    don't even want. I want an agreement set in stone as far
    as the payment for my time and work first.

    1. nobody · in reply to Rob Whitney

      oh yes xnite, thats the best way to approach a situation such as this, tell them youve found flaws in their system but you wont release until after negotiating a reward. youre basically telling them check your logs and find the vuln without my help. but then again a wannabe like you whom has been raided and swatted numerous times would know exactly what to do in this situation right?

      1. Rob Whitney · in reply to nobody

        Well, I have reconsidered my thought process there. Honestly the reward doesn't matter, but if a company is going to offer a reward for a find, don't insult them with a shitty gift-card which is limited to their products & provides *maybe* enough for a t-shirt.
        Also:

        Wannabe? No, I don't brag about stuff I'm not, I follow my interests and learn along the way. No harm in that right? :)

        Raided? What for? I don't do anything which would get me arrested. I simply blog about current events and things going on in my life. Nothing wrong with that right? Since when has that been illegal? OMG I should be put on the electric chair because I talk about stuff and people read it!

        SWAT'd? Sure I've been, but I barely see how that is relevant here.

        Maybe you should keep the snarky comments to yourself since you obviously don't know enough about me to make any valid point. However, I'll at least admit I changed my thought process on this partially due to your comment, and partially due to looking back on mine & thinking it sounds kind of silly what I said before.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.