Yahoo Slammed Over $12.50 Bug Bounty

Yahoo has received plenty of criticism over its security practices in recent weeks and has now been panned for handing out a £12.50 voucher for its own merchandise to thank researchers who uncovered potentially serious flaws.

The vulnerabilities were basic – cross-site scripting flaws on the ecom.yahoo.com and adserver.yahoo.com websites – but they could allow anyone to access a logged-in Yahoo email account.

Yahoo gets a kicking

A typical XSS attack, where a target is sent a specially-crafted link that, when clicked, would hand attackers auth cookies to take over an email account, could have been used on Yahoo users to access their data.

Despite the serious connotations, Yahoo came back to the High-Tech Bridge researchers within 48 hours to notify them of their reward: $12.50 in the form of a discount code to be redeemed from the Yahoo Company Store, which sells t-shirts, pens and other corporate gear.

The pentesters weren’t impressed. “Yahoo should probably revise their relations with security researchers,” said Ilia Kolochenko, High-Tech Bridge CEO.

“Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.

“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.”

Security expert Graham Cluley added: “Such a risible reward is unlikely to win Yahoo any friends and could – if anything – make it less likely that the site will gain the assistance of white-hats in future.”

All XSS flaws have been fixed by Yahoo, but outside of receiving an ear-bashing from the security community, it has other problems on its hands, namely the issues that have come with re-using old email addresses.

Users are continuing to complain about being able to see messages belonging to old owners of the email addresses that were re-assigned.

The company had not responded to a request for comment at the time of publication.

Are you a security expert? Try our quiz!