I decided to start this blog by writing a post containing a technical write-up of my first (and last) attempt to participate in the bug bounty program promoted by Yahoo!.
In this post I will share technical details on the reflected cross-site scripting vulnerability I discovered around 8 months ago as well as vent about my frustration in dealing with their bounty program.
First things first
After reading several write-ups in blogs and HackerOne reports and realizing how most of the vulnerabilities reported, including the ones that allegedly netted the bounty hunter good payouts, were not hard to find and was something I could definitely do, I decided to jump on the bug bounty bandwagon and see for myself how long it would take to claim my first bounty.
Noticing that Yahoo! was vulnerable to every sort of vulnerability one can imagine and admittedly it has an enormous attack surface on both *.yahoo.com and *.yahoo.net, I decided it would be my first target.
Surprisingly, after focusing on a single target URL to dedicate my bug hunting efforts on, it did not take more than 5 minutes to discover a reflected cross-site scripting in the search field of Yahoo’s Contextual Ads.
<form id="searchform1" name="searchform1" action="http://contextualads.yahoo.net... <input name="s" type="text" onClick="this.value='';" class="textbox float-left" value="TestUSER-SUPPLIED INPUT COMES HERE""" id="searchbox1" />; <input type="submit" class="sbb float-left" value="Search" />
As mentioned earlier in this paragraph, the application did not escape double quotes. We have the perfect conditions for pulling a reflected XSS exploit:
lo and behold…
Bang! Not bad for a 5 minute cursory look at a Yahoo! website.
Yahoo!’s poor response to the report
After the discovery of the issue I put together a quick, but well explained, write-up, along with relevant screenshots, and submitted it through HackerOne. Then I waited, I waited and I waited…
More than a month after the report was filled, I got a reply back from Yahoo! acknowledging they received the report and the bug was being triaged. Then I waited some more… three months have passed and no contact from Yahoo! again. So I decided to chase them by sending a message every couple of weeks to learn about the status of the report and whether they found the vulnerability to be eligible for a bounty.
Six months have passed. In the meantime I noticed the issue was fixed but I was not given any heads up about it.
Shortly before Christmas 2014, eight months since the bug report, Yahoo! finally got back to me to say the bug was not eligible for the bounty because *.yahoo.net domains are considered out of scope. I honestly couldn’t remember seeing this anywhere when I started hunting, but oh well…
In the end, regardless of the validity of the vulnerability for the bounty program, it is unacceptable for a bounty program to take nearly one year to respond to a vulnerability report. This left me with a bad impression about Yahoo!’s bug bounty program and I am definitely not taking part on it ever again. I can only hope other researchers had better experiences.