October 11, 2021

Cyber Security Awareness Month Extravaganza! Bug Bounty CTF (Public-009)

Note: Verizon Media is now known as Yahoo.

image of trophy with paranoids logo surrounded by bugs

In an effort to celebrate National Cybersecurity Awareness Month, the Paranoids are launching a capture the flag-style bug bounty promotion aimed at offensively testing a number of specified Yahoo accounts.

That’s right! We want you to hack specific Yahoo Mail accounts — and only those accounts — and get paid more for doing it.

The promotion includes two primary types of challenges:

  • Gain read access to these specified accounts and extract the flags specified below.
  • Similarly obtain write access to these accounts, showcased primarily by creating an app password for one of the designated accounts.

All reports must be submitted at https://hackerone.com/yahoo.

Each flag comes with a specific bounty, ranging between $15,000-and-$50,000. Larger amounts will be paid to the first researcher to capture a specific flag. Smaller prizes will be split among others who follow with unique research.  Check out the breakdown:

Objective 1 (Read Access)

  • 1st Prize - $15,000 bounty - To the first report showcasing a method to access the flag in one or more accounts.
  • Participation Trophy - $15,000 bonus - Split among all other reports that showcase a different method to access the flag in one or more accounts.

Objective 2 (Write Control)

  • 1st Prize - $50,000 bounty - To the first report showcasing a method to create an App Password for one or more of the target accounts.
  • Participation Trophy - $35,000 bonus - Split among all other reports that showcase a different method to create an App Password for one or more of the target accounts

The 50-day-long competition starts today — Monday, October 11, 2021 — and will end on Tuesday, November 30, 2021. However, there are restrictions to ensure we see your report in a timely fashion:

  1. Only one incentive will be awarded for a group of related reports.
  2. Reports must be submitted Monday through Friday between 9AM and 5PM GMT-4.
  3. A 1-hour dupe window will be applied every Monday from 9AM through 10AM GMT-4.

And, we can’t stress this enough, DO NOT perform vulnerability exploitation on SAML implementations or Third Party Authentication providers to gain access to Yahoo accounts. Any bug bounty report or proof-of-concept that performs such techniques will automatically be disqualified for an award.

Now let’s get into the specifics. Here are the target accounts with their related flags:

Associated Yahoo Account — yqa_h1_chal1@yahoo.com

Flag: (Read or Write) 2SV (2-step-verification)  with security key;

Associated Yahoo Account —  yqa_h1_chal2@yahoo.com

Flag: (Read or Write) 2SV with TOTP (time-based one-time password) (Authenticator app)

Associated Yahoo Account —  yqa_h1_chal3@yahoo.com

Flag:  (Read or Write) Password (1st factor via QR code)

Associated Yahoo Account — yqa_h1_chal4@yahoo.com

Flag:  (Read or Write) 1st factor via YAK

Associated Yahoo Account — yqa_h1_chal5@yahoo.com

Flag:  (Read or Write) 1st factor via Biometric

Associated Yahoo Account — yqa_h1_chal6@yahoo.com

Flag:  (Read or Write) Account with App password

To help identify reports, we encourage you to put “Public-009” in the title or summary of your report.


Scope: Identity/Membership

You can find these Yahoo and AOL based assets:

  • https://login.yahoo.com
  • https://api.login.yahoo.com
  • https://login.aol.com
  • https://api.login.aol.com

The fine print:

  • Reports will be triaged in the order they are submitted.
  • Reports that do not include a CVSS vector, score, rating and justification may receive reduced priority in the triage queue. This may result in missing out on the bonus.
  • Reports that are incomplete or lack sufficient proof may be triaged after later reports. This may result in the later report receiving the bonus and not the earlier report. To try to address this, we will do our best to close incomplete reports and let you file a new, more complete report when you have the missing information.
  • When we have reached the duration limit, a notice will be shared to state the Promotion has ended.
  • You may always continue to hack and submit bugs that are not related to this promotion.
  • CeaseFires may be called during this promotion. That will earn a 25% bonus as usual, on the base bounty only.
  • The 1st Prize incentive indicates a minimum which will be awarded to the report (bounty + bonus). The bounty will be determined according to standard policy and procedure and subtracted from the $50,000 prize (e.g. a $5,000 bounty would result in a $45,000 bonus. If 10x SBDH bonuses are also included, that bonus would be added raising the total bonus to $47,500; similarly a $10,000 bounty would earn a $40,000 bonus).
  • The Participation Trophy incentive (or the shared amount of it) will be awarded as a bonus in addition to the standard bounty that each report will earn.
  • A single report cannot receive multiple Objective incentives.
  • All reports are eligible for other standard bonuses.
  • Limit traffic against our services to < 10/second when probing or testing

Finally, thanks for reading this far. Here’s a tip, this documentation might help you in your hunt for bigger bounties: https://developer.yahoo.com/oauth2/guide/