Top reports from Yahoo! program at HackerOne:

Local File Include on marketing-dam.yahoo.com to Yahoo! - 19 upvotes, $2500
Header injection on rmaitrack.ads.vip.bf1.yahoo.com to Yahoo! - 16 upvotes, $1000
Cross-site scripting on the main page of flickr by tagging a user. to Yahoo! - 14 upvotes, $2173
XSS Yahoo Messenger Via Calendar.Yahoo.Com to Yahoo! - 14 upvotes, $677
Store XSS Flicker main page to Yahoo! - 12 upvotes, $1960
REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean to Yahoo! - 11 upvotes, $3000
Loadbalancer + URI XSS #3 to Yahoo! - 10 upvotes, $0
readble .htaccess + Source Code Disclosure (+ .SVN repository) to Yahoo! - 8 upvotes, $250
HK.Yahoo.Net Remote Command Execution to Yahoo! - 7 upvotes, $1276
Bypass of the Clickjacking protection on Flickr using data URL in iframes to Yahoo! - 7 upvotes, $250
Information Disclosure to Yahoo! - 7 upvotes, $0
From Unrestricted File Upload to Remote Command Execution to Yahoo! - 6 upvotes, $800
HTML Injection on flickr screename using IOS App to Yahoo! - 6 upvotes, $800
Directory Traversal to Yahoo! - 6 upvotes, $0
SQLi on http://sports.yahoo.com/nfl/draft to Yahoo! - 5 upvotes, $3705
Java Applet Execution On Y! Messenger to Yahoo! - 5 upvotes, $0
Local file inclusion to Yahoo! - 4 upvotes, $1390
Significant Information Disclosure/Load balancer access, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean to Yahoo! - 4 upvotes, $500
reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean to Yahoo! - 4 upvotes, $300
ads.yahoo.com Unvalidate open url redirection to Yahoo! - 4 upvotes, $0
Security.allowDomain("*") in SWFs on img.autos.yahoo.com allows data theft from Yahoo Mail (and others) to Yahoo! - 3 upvotes, $2500
SQL Injection ON HK.Promotion to Yahoo! - 3 upvotes, $1000
Flickr: Invitations disclosure (resend feature) to Yahoo! - 3 upvotes, $750
https://caldav.calendar.yahoo.com/ - XSS (STORED) to Yahoo! - 3 upvotes, $500
invite1.us2.msg.vip.bf1.yahoo.com/ - CSRF/email disclosure to Yahoo! - 3 upvotes, $400
XSS Vulnerability (my.yahoo.com) to Yahoo! - 3 upvotes, $250
http://conf.member.yahoo.com configuration file disclosure to Yahoo! - 3 upvotes, $100
Default /docs folder of PHPBB3 installation on gamesnet.yahoo.com to Yahoo! - 3 upvotes, $50
ClickJacking on http://au.launch.yahoo.com to Yahoo! - 3 upvotes, $0
Yahoo YQL Injection? to Yahoo! - 3 upvotes, $0
In Fantasy Sports iOS app, signup page is requested over HTTP to Yahoo! - 3 upvotes, $0
caesary.yahoo.net Blind Sql Injection to Yahoo! - 3 upvotes, $0
Stored Cross Site Scripting Vulnerability in Yahoo Mail to Yahoo! - 3 upvotes, $0
XSS in my yahoo to Yahoo! - 2 upvotes, $800
information disclosure (LOAD BALANCER + URI XSS) to Yahoo! - 2 upvotes, $300
XSS in Yahoo! Web Analytics to Yahoo! - 2 upvotes, $100
Vulnerability found, XSS (Cross site Scripting) to Yahoo! - 2 upvotes, $0
HTML Code Injection to Yahoo! - 2 upvotes, $0
Open Redirect via Request-URI to Yahoo! - 2 upvotes, $0
XSS using yql and developers console proxy to Yahoo! - 2 upvotes, $0
Bypass of anti-SSRF defenses in YahooCacheSystem (affecting at least YQL and Pipes) to Yahoo! - 2 upvotes, $0
XSS Reflected - Yahoo Travel to Yahoo! - 2 upvotes, $0
Yahoo mail login page bruteforce protection bypass to Yahoo! - 2 upvotes, $0
Clickjacking at surveylink.yahoo.com to Yahoo! - 2 upvotes, $0
Almost all the subdomains are infected. to Yahoo! - 2 upvotes, $0
http://us.rd.yahoo.com/ to Yahoo! - 2 upvotes, $0
XSS on Every sports.yahoo.com page to Yahoo! - 1 upvotes, $1500
Server Side Request Forgery to Yahoo! - 1 upvotes, $500
XSS in https://hk.user.auctions.yahoo.com to Yahoo! - 1 upvotes, $500
Comment Spoofing at http://suggestions.yahoo.com/detail/?prop=directory&fid=97721 to Yahoo! - 1 upvotes, $500
Cross-origin issue on rmaiauth.ads.vip.bf1.yahoo.com to Yahoo! - 1 upvotes, $250
Yahoo! Reflected XSS to Yahoo! - 1 upvotes, $250
Yahoo open redirect using ad to Yahoo! - 1 upvotes, $0
A csrf vulnerability which add and remove a favorite team from a user account. to Yahoo! - 1 upvotes, $0
Insufficient validation of redirect URL on login page allows hijacking user name and password to Yahoo! - 1 upvotes, $0
Reflected XSS in mail.yahoo.com to Yahoo! - 1 upvotes, $0
Authentication bypass at fast.corp.yahoo.com to Yahoo! - 1 upvotes, $0
Information Disclosure, groups.yahoo.com,6-april-2014, #SpringClean to Yahoo! - 1 upvotes, $0
clickjacking on leaving group(flick) to Yahoo! - 1 upvotes, $0
Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow to Yahoo! - 1 upvotes, $0
Open Proxy, http://www.smushit.com/ysmush.it/, 4/09/14, #SpringClean to Yahoo! - 0 upvotes, $2000
CSRF Token missing on http://baseball.fantasysports.yahoo.com/b1/127146/messages to Yahoo! - 0 upvotes, $400
Infrastructure and Application Admin Interfaces (OWASP‐CM‐007) to Yahoo! - 0 upvotes, $250
Yahoo Sports Fantasy Golf (Join Public Group) to Yahoo! - 0 upvotes, $200
CSRF Token is missing on DELETE message option on http://baseball.fantasysports.yahoo.com/b1/127146/messages to Yahoo! - 0 upvotes, $200
Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com to Yahoo! - 0 upvotes, $100
Authorization issue on creative.yahoo.com to Yahoo! - 0 upvotes, $50
Open redirect on tw.money.yahoo.com to Yahoo! - 0 upvotes, $0
TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP‐DV‐001) to Yahoo! - 0 upvotes, $0
Multiple vulnerabilities to Yahoo! - 0 upvotes, $0
URL Redirection to Yahoo! - 0 upvotes, $0
clickjacking to Yahoo! - 0 upvotes, $0
Authentication Bypass in Yahoo Groups to Yahoo! - 0 upvotes, $0
Open URL Redirection to Yahoo! - 0 upvotes, $0
Out of date version to Yahoo! - 0 upvotes, $0
Authentication Bypass due to Session Mismanagement to Yahoo! - 0 upvotes, $0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TOPYAHOO!.md

TOPYAHOO!.md

Files

TOPYAHOO!.md

Latest commit

History

TOPYAHOO!.md

File metadata and controls