• 10.01.13

I Discovered A Glitch In Yahoo’s Security And All I Got Was This Lousy T-Shirt

Security experts alerted Yahoo’s Security Team to vulnerabilities that could compromise any email account. In return, they got $12.50 to spend at the company store.

I Discovered A Glitch In Yahoo’s Security And All I Got Was This Lousy T-Shirt
[Image: via Yahoo company store]

Let’s say you’re dying to get your hands on that Yahoo-branded iPad cover from the company’s store (we won’t ask you why). Here’s a cool way to get $12.50 off your purchase:

  1. Find a security bug in a Yahoo website.
  2. Report it to Yahoo.
  3. Receive a promo code for $12.50 off anything in Yahoo’s company store.
  4. Feel all warm and fuzzy inside.

This is exactly what happened to the security experts at the Geneva-based firm High-Tech Bridge recently (we’re pretty sure they were not feeling warm and fuzzy). After reporting three cross-site scripting (XSS) vulnerabilities to Yahoo’s security team that could compromise any email account by having a logged-in Yahoo user click on a specially crafted link, they got a thank-you email from Yahoo, and a handsome reward of $12.50 to use on the company’s online store where you can buy Yahoo-branded socks, t-shirts, and other things.

High-Tech Bridge CEO Ilia Kolochenko says: “Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.”

Facebook, as a point of comparison, recently offered a hacker $12,500 for finding a way to delete anyone’s Facebook photos with the right know-how. Google offers up to $20,000 for reporting security vulnerabilities. Microsoft? A cool $100,000.

About the author

Pranav Dixit has written about everything from megalomaniacal Bollywood stars to Mughal history as a reporter in New Delhi. But secretly, he has always wanted to cover technology.