Jump to content
Aerosol

Yahoo! pays $24,000 to Hacker for finding Security Vulnerabilities

Recommended Posts

Posted

yahoo-bug-bounty.jpg

Yahoo! has offered $24,000 to a security researcher for finding out and reporting three critical security vulnerabilities in its products including Yahoo! Stores and Yahoo!-hosted websites.

While testing all the company's application, Mark Litchfield, a bug bounty hunter who often works with different companies, discovered three critical vulnerabilities in Yahoo!'s products. All the three vulnerabilities have now been fixed by Yahoo!.

THREE CRITICAL SECURITY VULNERABILITIES

The first and most critical vulnerability gives hackers full administrator access to Yahoo!'s e-commerce platform, Yahoo! Small Business, a portal that allows small business owners to create their own web stores through Yahoo! and sell merchandise.

According to the researcher, the flaw in the service allowed him to fully administrator any Yahoo store and thereby gain access to customers' personally identifiable information, including names, email addresses, telephone numbers.

BUG ALLOWS FREE SHOPPING

Beside allowing hackers full admin access to the web stores, the vulnerability could also leverage an attacker to rig a user-run eCommerce web store to let them shop for free, or at a huge discount, Litchfield claimed.

"We could also shop for free by either changing the prices, or creating our own discount code," Litchfield said in an email describing the attack. "Also, we could place an order, then once received, go and refund our money."

A separate but related vulnerability in Yahoo! Stores, second flaw discovered by Litchfield, allows an unauthorized user to edit Yahoo-hosted stores through the app, thereby creating a means for hackers to hijack an online website store.

Last but not the least, Litchfield discovered a critical vulnerability in Yahoo’s Small Business portal that allows hackers to seize administrative access to Yahoo!-hosted websites and gain full, unauthorized access to them.

The Internet giant patched all the three bugs two weeks ago after Litchfield publicly released details and proof of concepts for the exploits on Bug Bounty HQ, a community for Bug Bounties website, established by Litchfield last month for fellow hunters to share their findings.

'ON DEMAND PASSWORD'

At recent SXSW session, Yahoo! launched 'on-demand passwords,' which it says will eliminate the need for you to ever remember your email password. Whenever you need it, the company will send you a OTP (one time password) via SMS to your mobile phone.

It's sort of two-factor authentication—without the first factor involved, as there is no need of any log-in password to enter by a user. In order to opt-in for the feature follow some simple steps:

Sign in to your Yahoo email account.

Click on your name at the top right corner to access your account information page.

Choose Security in the sidebar.

Click on the slider for on-demand passwords, in order to opt-in.

Enter your phone number and Yahoo will send you a verification code.

Enter the code.

Now, next time whenever you will sign in into your email account, Yahoo will send a password via an SMS to your phone when you need it.

Also, the end-to-end email encryption that Yahoo! promised will be available soon by the end of this year. The company gave its first demonstration of the locked down messaging system at SXSW session, and it is also delivering early source code for security researchers to analyze.

Source

Posted

Si totusi....nu sunt curiosi sa investeasca in partea in care un hacker sa numai poata deactiva 10.000 de conturi pe luna.

Indiferent daca e business mail sau free...toate cad la fel de usor de vreo 6 ani.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...