Yahoo bug bounty pays out $7K for account takeover bug.
Yahoo bug bounty pays out $7K for account takeover bug.

Yahoo awarded a $7,000 bug bounty to a researcher who spotted three vulnerabilities that could be leveraged to takeover a Flickr account.

Researcher Michael Reizelman reported the flaw, which could allow an attacker to circumvent the social media platform's protections to intercept and grab access tokens to Flickr's parent company Yahoo via its HackerOne account on April 2, according to an April 29 blog post.

The vulnerability was caused by the method in which Flickr authentication is handled by the Yahoo login domain which allowed Reizelman to force the service to send him an authentication token for a logged in user.

Yahoo resolved the issue by making the done parameter on the login.yahoo.com endpoint only allow https://www.flickr.com/signin/yahoo/ as a valid value, fixing the image embedding logic bypass, and applying CSP to the Flickr forum. The vulnerability was patched by April 21.