Forgot your password?
Security Yahoo!

Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt 138

Posted by Unknown Lamer
from the gimme-more-or-ill-hack-ur-serverz dept.
Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the and domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories."
This discussion has been archived. No new comments can be posted.

Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt

Comments Filter:
  • by Anonymous Coward on Tuesday October 01, 2013 @05:24AM (#45000149)

    Which part of "Forty-eight hours later, Yahoo had patched all of the vulnerabilities" did you miss?

    If you want to object here, then get that tinfoil hat straight and get some sharper Occam's razor.

    Seriously, if you think "bug reported to Yahoo -> NSA demands it from Yahoo -> NSA quickly uses it to hack Yahoo's accounts in 2 days -> Yahoo patches it" is realistic, then you should realize that "NSA demands access to Yahoo accounts -> NSA leisurely browses through all Yahoo accounts they want" would be much more plausible.

    FFS, learn the fucking difference between software on your PC and web services at least. In the latter case, govt spooks won't need any vulnerabilities if it comes to that - they can just come with a subpoena/NSL/whatever.

  • by Anonymous Coward on Tuesday October 01, 2013 @07:44AM (#45000815)

    You mean this guy [] who got a cheque for $500 and a bunch of software for a problem that took him 2 minutes and $35 to address?

  • Re:This is news? (Score:3, Informative)

    by Lumpy (12016) on Tuesday October 01, 2013 @08:49AM (#45001303) Homepage

    "I see it differently. In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service."

    What utopia is that that you live in? Because here in the USA they do not do this at all. The police advice to me is, "do not own a weapon, in the case of a home invasion hide under your bed and call the police. Do not fortify your doors and windows as that is a crime."

    Yes, Fortification of doors and windows in the USA is a CRIME. It makes it harder for cops to raid your home if they need to.

  • Re:So . . . (Score:5, Informative)

    by hairyfeet (841228) <> on Tuesday October 01, 2013 @10:38AM (#45002595) Journal

    The problem is that Yahoo just sent out a message to every grey hat, letting them know "if you want anything other than a T-Shirt talk to the metasploit guys" and ya know what? they will. Its not just about the money, its about respect. A t-shirt is the kind of prize you get from some DJ standing on a street corner NOT what you get for saving a company endless bad press and possible millions in pissed off users.

    Of course the real bitch isn't just the XSS, its when you mix that with an insecure browser you get a real perfect shitstorm. See my journal for what I labeled the "Yahoo porn bug" a couple years back, if you take Yahoo and ONLY Yahoo, didn't see this with either Gmail nor Live mail, and Firefox which again ONLY FF, not any of the Chromium or Webkit browsers nor Opera nor IE, put them together and what do you get? you get the ability for spammers to be able to spam entire address books without having any real access at all. They do this by using the fact that FF runs at the same permission levels as the user (which is retarded but Moz refuses to fix, Chromium had the ability to run below user permission more than 6 years ago) and with a hidden iFrame and using the FF auto login (or even just a still valid cookie) they could have access to the entire address book without having to break into the account or even send a drop of data back to themselves.

    So as I've been saying for a few years now yahoo really needs to get their shit together, its entirely too easy to use Yahoo email addresses for spamming. The same can be said of Moz, I no longer include any gecko based browsers specifically because they refuse to add low rights mode. Bad security practices are bad practices and insulting those that find bugs by giving them a lousy $12.50 t-shirt? They have made sure the next bug found by a grey hat will only be found out by Yahoo when they are getting pwned.

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"