Yahoo’s Polyvore vulnerable to ImageMagick flaw, researcher receives little reward

Yahoo has paid $2,000 as a reward to the security researcher who disclosed the presence of the ImageMagick vulnerability in a Yahoo-owned company domain.

According to Security Week, the ImageMagick vulnerability was present on Polyvore, a community-based social commerce platform acquired by Yahoo last year.

The security flaw, CVE-2016-3714, has been dubbed “ImageTragick” by researchers. Found within the open-source software ImageMagick, an important library used in image processing and uploads across the web, the vulnerability can be exploited to trick the program into running malicious code.

If an attacker uploads a malicious file disguised as an image, they may be able to hijack websites, deliver malware and steal information.

As ImageMagick is used across countless websites, the severity of the impact of the flaw is high.

Cloudflare researchers said this week cyberattackers are already leaping on the ImageTragick bandwagon, compiling the vulnerability into exploit kits and using CVE-2016-3714 in targeted attacks against specific domains.

In Yahoo’s case, the company too has been caught flat-footed.

Security researcher Behrouz Sadeghipour discovered that the vulnerability was present in the web domain belonging to Polyvore, recently added to Yahoo’s bug bounty program.

After notifying Yahoo on May 4 and handing over a proof-of-concept (PoC) example to the tech giant as proof, the vulnerability was patched within a matter of hours.

Sadeghipour was then awarded $2,000 for his efforts, but the researcher believes that due to the scope of the issue, the reward should have been higher.

Yahoo offers up to $15,000 for high-risk vulnerabilities submitted by researchers. This is an interesting case as the flaw was already publicized and was discovered by a different security expert, but you cannot ignore the potentially high impact of the flaw.

More security news

Once one system has been hijacked, this could have led an attacker towards Yahoo’s main domains depending on the infrastructure and whether sensitive data — such as cross-site credentials — were stolen.

While Yahoo says the reward was based on a number of parameters including the “depth and impact” of the flaw, this may leave some of us wondering if other bug bounty systems with today’s higher reward systems are worth more of a researcher’s time and effort.

Webmasters using ImageMagick should update their software to the latest release.

This isn’t the first time Yahoo has come under fire for arguably poor bug bounty rewards. In 2013, the tech firm gave a $25 voucher — only usable in the Yahoo company store — to a pair of researchers for disclosing cross-site scripting vulnerabilities affecting two Yahoo domains.

ZDNet has reached out to Yahoo and will update if we hear back.

Read on: Top picks