Yahoo! has offered $24,000 to a security researcher for finding out and reporting three critical security vulnerabilities in its products including Yahoo! Stores and Yahoo!-hosted websites.
While testing all the company’s application, Mark Litchfield, a bug bounty hunter who often works with different companies, discovered three critical vulnerabilities in Yahoo!’s products. All the three vulnerabilities have now been fixed by Yahoo!.
THREE CRITICAL SECURITY VULNERABILITIES
The first and most critical vulnerability gives hackers full administrator access to Yahoo!’s e-commerce platform,Yahoo! Small Business
, a portal that allows small business owners to create their own web stores through Yahoo! and sell merchandise.
According to the researcher, the flaw in the service allowed him to fully administrator any Yahoo store and thereby gain access to customers’ personally identifiable information, including names, email addresses, telephone numbers.
BUG ALLOWS FREE SHOPPING
Beside allowing hackers full admin access to the web stores, the vulnerability could also leverage an attacker to rig a user-run eCommerce web store to let them shop for free, or at a huge discount, Litchfield claimed.
“We could also shop for free by either changing the prices, or creating our own discount code,” Litchfield said in an email describing the attack. “Also, we could place an order, then once received, go and refund our money.“
A separate but related vulnerability in Yahoo! Stores, second flaw discovered by Litchfield, allows an unauthorized user to edit Yahoo-hosted stores through the app, thereby creating a means for hackers to hijack an online website store.
Last but not the least, Litchfield discovered a critical vulnerability in Yahoo’s Small Business portal that allows hackers to seize administrative access to Yahoo!-hosted websites
and gain full, unauthorized access to them.
The Internet giant patched all the three bugs two weeks ago after Litchfield publicly released details and proof of concepts for the exploits on Bug Bounty HQ
, a community for Bug Bounties website, established by Litchfield last month for fellow hunters to share their findings.
‘ON DEMAND PASSWORD’
At recent SXSW session, Yahoo! launched ‘on-demand passwords,’ which it says will eliminate the need for you to ever remember your email password. Whenever you need it, the company will send you a OTP (one time password) via SMS to your mobile phone.
It’s sort of two-factor authentication—without the first factor involved, as there is no need of any log-in password to enter by a user. In order to opt-in for the feature follow some simple steps:
- Sign in to your Yahoo email account.
- Click on your name at the top right corner to access your account information page.
- Choose Security in the sidebar.
- Click on the slider for on-demand passwords, in order to opt-in.
- Enter your phone number and Yahoo will send you a verification code.
- Enter the code.
Now, next time whenever you will sign in into your email account, Yahoo will send a password via an SMS to your phone when you need it.
Also, the end-to-end email encryption that Yahoo! promised will be available soon by the end of this year. The company gave its first demonstration of the locked down messaging system at SXSW session, and it is also delivering early source code for security researchers to analyze.