Yahoo has some very stupid programmers

(written by lawrence krubner, however indented passages are often quotes). You can contact lawrence at: lawrence@krubner.com, or follow me on Twitter.

Good lord, why is this developer at Yahoo so slow on the uptake?

Thank you for your submission to Yahoo! Unfortunately we are unable to reproduce the bug due to insufficient information. Please provide us with a proof of concept or any other additional evidence required to reproduce the issue.

** The attacker would have to know the invitation id correct?

One has the sense that the person reporting the bug is shocked by the lack of concern shown by Yahoo:

d4d1a179c0f3 changed the status to New. about 1 month ago
Yes, attacker have to know correct invitation id. But I’ve posted examples found by randomly choosing 100 ids! So it is not hard to iterate.

What more info do you need?

schofield changed the status to Needs more info. about 1 month ago
We are not seeing the security implications here. You would have to know (or guess) the invitation id to only see an invitation. Would you like to expand or explain further?

d4d1a179c0f3 changed the status to New. about 1 month ago
There is no information. That invitation data (e-mail, name, relation, message) are public (because they are – they are visible to anyone). User can expect that this is private and can write private message. Also attacker can gather every e-mail (and matching names) and use it for spam/phishing. More accurate spam/phishing – with users names. It’s not security related? For me it’s typical information disclosure and it should be fixed (only sender of invitation should have access to it).

Post external references

  1. 1
    https://hackerone.com/reports/1533
Source