This article is more than 1 year old
Bounty! hunter! discovers! holes! in! Yahoo! Stores! security!
Guns down three vulns and picks up $24k reward
Security researcher Mark Litchfield is $24,000 the richer after discovering three vulnerabilities involving Yahoo! Stores and hosted websites.
The three vulnerabilities were fixed by Yahoo! after Litchfield alerted the internet giant through its bug bounty programme. The first and most serious of the vulnerabilities opened up full admin access to all Yahoo! Stores, an e-commerce platform pitched at small web businesses.
"This allowed me to fully administer any Yahoo! store, as well as have access to customer PII [personally identifiable information] for all orders placed within the store, names/addresses/email address/telephone numbers etc," Litchfield told El Reg.
"We could also shop for free by either changing the prices or creating our own discount code. Also, we could place an order, then once received go and refund our money."
A related flaw in Yahoo! Stores, also discovered by Litchfield, created a means to hijack an online website store.
Litchfield also discovered a third vulnerability that created a means for hackers to seize administrative access to Yahoo!-hosted websites. "This basically allowed me to administer any Yahoo!-hosted website," he said.
All three bugs are explained in greater depth in the BugBountyHQ, community for Bug Bounties website, established by Litchfield last month (registration required).
"Yahoo! were extremely quick to resolve these issues," Litchfield, a serial discoverer of Yahoo! vulns, told El Reg. "To date I have found vulnerabilities in PayPal's Prostores, GoStoreGo and PayPal Manager, that gave me admin access to their stores and all their customer PII, and now Yahoo! Stores."
El Reg invited Yahoo! to comment on the award last week, but we are yet to hear back at the time of going to press. We'll update this story as and when we hear more. ®