Yahoo's Polyvore vulnerable to ImageMagick flaw, researcher receives little reward

Opinion: It's up for debate whether the reward was worth it after all.
Written by Charlie Osborne, Contributing Writer

[Update 18.54GMT: Updated with clarification.]

Yahoo has paid $2,000 as a reward to the security researcher who disclosed the presence of the ImageMagick vulnerability in a Yahoo-owned company domain.

According to Security Week, the ImageMagick vulnerability was present on Polyvore, a community-based social commerce platform acquired by Yahoo last year.

The security flaw, CVE-2016-3714, has been dubbed "ImageTragick" by researchers. Found within the open-source software ImageMagick, an important library used in image processing and uploads across the web, the vulnerability can be exploited to trick the program into running malicious code.

If an attacker uploads a malicious file disguised as an image, they may be able to hijack websites, deliver malware and steal information.

As ImageMagick is used across countless websites, the severity of the impact of the flaw is high.

Cloudflare researchers said this week cyberattackers are already leaping on the ImageTragick bandwagon, compiling the vulnerability into exploit kits and using CVE-2016-3714 in targeted attacks against specific domains.

In Yahoo's case, the company too has been caught flat-footed.

Security researcher Behrouz Sadeghipour discovered that the vulnerability was present in the web domain belonging to Polyvore, recently added to Yahoo's bug bounty program.

After notifying Yahoo on May 4 and handing over a proof-of-concept (PoC) example to the tech giant as proof, the vulnerability was patched within a matter of hours.

Sadeghipour was then awarded $2,000 for his efforts, but the researcher believes that due to the scope of the issue, the reward should have been higher.

Yahoo offers up to $15,000 for high-risk vulnerabilities submitted by researchers. This is an interesting case as the flaw was already publicized and was discovered by a different security expert, but you cannot ignore the potentially high impact of the flaw.

Once one system has been hijacked, this could have led an attacker towards Yahoo's main domains depending on the infrastructure and whether sensitive data -- such as cross-site credentials -- were stolen.

Yahoo says the reward was based on a number of parameters including the "depth and impact" of the flaw.

Webmasters using ImageMagick should update their software to the latest release.

While Yahoo arguably once offered poor bug bounty rewards -- for example, in 2013, the tech firm gave a $25 voucher to a pair of researchers for disclosing cross-site scripting vulnerabilities affecting two Yahoo domains --- there are now over 2,000 researchers contributing to the tech giant's HackerOne-based bug bounty program, and over $1.6 million has been paid out to date.

ZDNet has reached out to Yahoo and will update if we hear back.

Save my smartphone: How to resurrect your wet iPhone and other handsets

Read on: Top picks

Editorial standards