Yahoo! pays $24,000 to Hacker for finding Security Vulnerabilities


Blog News | Dulisha | Tuesday, 17 March 2015 12:15

Yahoo! has offered $24,000 to a security researcher for finding out and reporting three critical security vulnerabilities in its products including Yahoo! Stores and Yahoo!-hosted websites.


While testing all the company's application, Mark Litchfield, a bug bounty hunter who often works with different companies, discovered three critical vulnerabilities in Yahoo!'s products. All the three vulnerabilities have now been fixed by Yahoo!


THREE CRITICAL SECURITY VULNERABILITIES

The first and most critical vulnerability gives hackers full administrator access to Yahoo!'s e-commerce platform,Yahoo! Small Business, a portal that allows small business owners to create their own web stores through Yahoo! and sell merchandise.

BUG ALLOWS FREE SHOPPING

Beside allowing hackers full admin access to the web stores, the vulnerability could also leverage an attacker to rig a user-run eCommerce web store to let them shop for free, or at a huge discount, Litchfield claimed.

'ON DEMAND PASSWORD'

At recent SXSW session, Yahoo! launched 'on-demand passwords,' which it says will eliminate the need for you to ever remember your email password. Whenever you need it, the company will send you a OTP (one time password) via SMS to your mobile phone.

It's sort of two-factor authentication—without the first factor involved, as there is no need of any log-in password to enter by a user. In order to opt-in for the feature follow some simple steps:

  1. Sign in to your Yahoo email account.
  2. Click on your name at the top right corner to access your account information page.
  3. Choose Security in the sidebar.
  4. Click on the slider for on-demand passwords, in order to opt-in.
  5. Enter your phone number and Yahoo will send you a verification code.
  6. Enter the code.