Yelp's Bug-Bounty Map
-
Martin Georgiev, Software Engineer
- Sep 6, 2016
For the past two years we’ve been running a private bug-bounty program. We worked with academic researchers and bug hunters from all over the world and, as a result, we have fixed over a hundred potential vulnerabilities, and have paid bug bounties to dozens of security experts.
Today we’re launching our public bug-bounty program as our next step towards improving the security of Yelp’s systems and services. Our vulnerability reward payouts will go up to $15,000 USD for the most impactful exploits.
Since getting familiar with our infrastructure may be a bit intimidating, we’ve put together some information below to help you through the bootstrap process.
Consumer Site
Location: www.yelp.com, m.yelp.com.
Purpose: With millions of people using Yelp every day both on their desktops and mobile devices, our consumer site is one of our major assets. Users come to our consumer site to search for and message local businesses, order food, review local establishments, engage with other local users, etc.
Under the hood: Python, Java, C++.
What to look for: We are interested in any vulnerabilities that allow the attacker to map user profiles to their respective email addresses. Other critical vulnerabilities in our consumer site would involve the ability of a malicious user to modify other users’ reviews, order food for free or gain access to another user’s payment details: e.g., reveal PANs. Look also for web vulnerabilities that result in sensitive data disclosure, data injection/exfiltration, insecure session management, etc.
Business Owner’s Site
Location: biz.yelp.com.
Purpose: Our biz site allows business owners to manage their Yelp presence, track visitor engagement, respond to customer inquiries and messages, reply to reviews with a private message or a public comment, subscribe to advertising programs and track ad spending.
Under the hood: Python, Java, C++.
What to look for: Similar to the consumer site, look for any web vulnerabilities that result in authentication or authorization bypass, sensitive data exfiltration, data injection, or request forgery. We are especially interested in vulnerabilities that allow an attacker to impersonate a business owner, escalate account privileges within a business page (e.g., upgrade an employee account to an admin account), modify ad spending, obtain non-public or bulk data sets that ought to be restricted to the business owners, or obtain non-public or bulk information about Yelp users’ interactions with a particular business.
Mobile Apps
Android: Yelp, Yelp for Business Owners. iOS: Yelp, Yelp for Business Owners. Backend: auto-api.yelp.com, mobile-api.yelp.com, biz-app.yelp.com.
Purpose: Our consumer apps help users find great local businesses while on the go. The biz apps offer a bundle of free tools that enable business owners to advertise their businesses and connect with the Yelp community.
In the most recent quarter content (reviews and photos) on Yelp was predominantly generated on our mobile apps; searches on Yelp, by and large, came from mobile devices. Thus, we’re dedicated to ensuring the security of our iOS and Android apps.
Under the hood: The backend API is written in Python. Our iOS apps are written in Objective-C and Swift, and integrate a number of libraries via CocoaPods. Our Android apps are written in Java and integrate libraries via Maven, including Glide for image loading, Apache’s HTTP client for web requests, and Android Priority Job Queue for high priority jobs. Several components of our apps use WebViews. Always test against the latest mobile app that is currently available on Google Play, for Android, or the App Store for iOS.
What to look for: In this category, we are most interested in mobile-specific vulnerabilities. Look for insecure storage of data, insecure WebView configs, insecure network connections, sensitive data disclosure via logs/errors, privilege separation, etc. Vulnerabilities that allow tracking large number of users in real time are also considered high-severity issues.
Yelp Reservations
Location: www.yelpreservations.com, Restaurant Manager iOS app.
Purpose: Yelp Reservations is an online management system for restaurants, bars and nightlife venues that provides floor management and online reservations. Restaurant managers use Yelp Reservations via a dedicated mobile app or via a web dashboard. Consumers use Yelp Reservations indirectly
- whenever they reserve a table at local businesses via our Yelp platform or one of our partners.
Under the hood: Python, Django (on the Web), Objective-C (mobile app).
What to look for: Web vulnerabilities such as XSS, CSRF, SQLi, etc. are all in scope. We are also interested in any mobile vulnerability you find in our mobile app.
Engineering Blog, The Yelp Blog
Location: engineeringblog.yelp.com, yelpblog.com.
Purpose: We use our engineering blog to notify the general public about all the cool technology we are developing here at Yelp. The Yelp Blog is the official voice of Yelp HQ. We use it to talk about news, product, community, business, etc.
Under the hood: Jekyll, Ruby, PaaSTA (Engineering Blog); PHP, WordPress (The Yelp Blog).
What to look for: Vulnerabilities that enable attackers to add, delete or modify any of the content on the engineering blog. We are also interested in disclosure of sensitive information via path traversal and vulnerabilities in the authentication component of the system.
Public API
Location: api.yelp.com.
Purpose: We recently released our Public API v3 in developer preview mode. This API aims to enable third-party developers to build great mobile and web apps on top of our data. With API v3, developers can programmatically search for great local businesses, retrieve review excerpts, obtain business specific data such as address, phone number and photos.
While most of our effort going forward will be focused on the Public API v3, its predecessor - Public API v2 - will continue to exist. Our API v2 supports geographically-oriented search, searching for businesses offering a Yelp Deal, identifying businesses that have been claimed on Yelp, etc.
Under the hood: Python, Pyramid, uWSGI.
What to look for: Focus on authentication bypasses, rate limiting issues and the ability to obtain large number of full-length reviews. We are also interested in data injection attacks that may alter the internal state of our data stores or leak sensitive information to malicious users.
Yelp Support
Location: www.yelp-support.com.
Purpose: We use the Support Center to provide answers to frequently asked questions in categories such as searching on Yelp, managing your user profile, managing your business presence, acquiring and maintaining an Elite status, etc.
Under the hood: Salesforce’s Service Cloud Platform.
What to look for: We are interested in any vulnerability that allows an unauthorized modification of content.
The security team at Yelp is committed to keeping our users, our data, and our
platform and services safe and sound. If you find a security issue in any of our
systems, let us know immediately. We are ready to
work with you and make every effort to address the identified vulnerability in
a timely manner.
Happy hacking!