Yahoo says servers were exploited using another vulnerability and no data was stolen
Yahoo has denied claims some of its servers were hacked by security researchers seeking to exploit the Shellshock bug, adding that no user data was stolen and that the machines infiltrated were accessed using a different vulnerability.
Shellshock is a serious vulnerability in Bash, the software used to control the command shell in many aspects of Unix, that allows an attacker to run a wide range of malicious code remotely – using as little as three lines of code.
Researcher Jonathan Hall claimed Romanian hackers have compiled a list of servers at companies like Yahoo, Lycos and Winzip susceptible to the vulnerability, and conducted tests to identify affected machines.
He was able to access two servers at the company and said he contracted the FBI, Yahoo and even CEO Marissa Mayer herself before deciding to make his findings public due to the “negligent” response.
“There are no publicly available contact methods for Yahoo! that have yielded any luck with trying to contact them regarding this,” said Hall. “This is a gross negligence and complete lack of care or concern for the safety of the consumers in terms of financial information.”
However, Yahoo chief security officer Alex Stamos says the company responded to the allegations by quarantining the servers in question in a bid to protect user data and further investigate the potential risk.
He told Hacker News that the servers, used to deliver sports updates and news feeds, were not affected by the Shellshock bug as these servers had already been patched and instead the code had been altered.
“After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock,” he said. “Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers.
“These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.
“The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.”
Stamos also said Hall made no attempt to contact Yahoo through its Bug Bounty or secdurity emails, adding that the investigation had started within an hour of Mayer being emailed directly. Hall has refuted these claims and says the hack was related to Shellshock.
“At this point, I’m not convinced the problem is contained, nor am I convinced the users data is secure… And I am flat out accusing Stamos, and Yahoo!, of being dishonest and inaccurate in their reports of this breach, as well as being grossly negligent to their users and shareholders by releasing inaccurate and misleading information,” he said.
How much do you know about hacking? Take our quiz!