Yahoo, it seems, just can’t do anything right when it comes to winning friends in the security industry.
First, they came up with a bonkers scheme for recycling old email addresses - not apparently realising that the danger of identity theft to which it was exposing the original account holders.
Next, Yahoo CEO Marissa Mayer showed she didn’t even have time to tap four digits, and admitted she doesn’t bother to have even a simple security passcode on her iPhone.
And now, it’s been revealed that it takes its users’ security with such disregard that it “rewards” researchers who find vulnerabilities with a paltry $12.50 bounty… which can only be spent in Yahoo’s Company Store.
That’s what just happened to the researchers at High-Tech Bridge recently.
On Monday 23rd September, the researchers informed Yahoo’s Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.
According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email.
48 hours later, Yahoo’s security team responded, thanking the researchers and offering the mighty bounty of err.. $12.50 per vulnerability. But there was a catch, the researchers were limited as to how they could spend their riches.
This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate t-shirts, cups, pens and other accessories. At this point, the High-Tech Bridge team decided to hold off on any further research for Yahoo.
Ilia Kolochenko, the CEO of High-Tech Bridge, summed up the situation pretty well:
“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.”
Of course, money (and t-shirts) shouldn’t be the only motivation for reporting a security vulnerability. But such a risible reward is unlikely to win Yahoo any friends and could - if anything - make it less likely that the site will gain the assistance of white-hats in future.
Yahoo has now patched all of the vulnerabilities reported by High-Tech Bridge.