Yahoo Fixes Flaw Allowing an Attacker To Read Any User's Emails

Yahoo says it has fixed a severe security vulnerability in its email service that allowed an attacker to read a victim's email inbox. From a report on ZDNet: The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail. The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty, In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.

Slap-in-the-face rewards and impact.

[geekmux]

"The internet giant paid out $10,000...

So being able to read your customers email is only worth $10,000 to you, Yahoo?

Don't be surprised if you find the next hack against you was sold to the black market for half that amount, simply because you're too fucking cheap to offer up more than a financial slap in the face.

One would think money talks would be a well-known and understood concept to a greedy corporation.