Yahoo!: Your data is safe with us. Security flaw not due to Shellshock bug

Yahoo! has backtracked on a statement issued earlier that a "small number" of its servers were infiltrated by cyber attackers looking to exploit Shellshock.

In a blog post written on Hacker News, Yahoo! chief information security officer Alex Stamos says the vulnerability found and exploited by a group of Romanian hackers on three of the company's API services for its sports live streaming service was not due to Shellshock, correcting a statement earlier released that confirms a report published by Jonathan Hall, president and senior engineer at Future South Technologies.

"Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw," says Stamos. "After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock."

Stamos explains that the hackers had instead "mutated" their attack and gone for a vulnerable monitoring script that was running at the time of the attack to parse and debug the web logs. He stresses that no user information was compromised by the attack and that engineers at Yahoo! had already succeeded in isolating the servers and safeguarding user information.

"As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public," Stamos adds.

On Oct. 5, Hall published a blog post saying that at least two Yahoo! servers used for live-streaming sports events were infiltrated by a cohort of hackers from Romania and were being used to build up a botnet, or a network of infected computers that spread the bug. Hall also says that the hackers are traversing Yahoo!'s network piece by piece and could be planning to take over the company's game servers. Millions of Internet users visit Yahoo!'s Java-based games website every day. He also observed the same exploit going on in WinZip and Lycos' servers.

"This breach is very serious, and jeopardizes every consumer that uses Yahoo! in any manner, from shopping to email, and even game playing," Hall writes on his blog.

Hall, however, is not convinced about Stamos' statement, saying that Yahoo! should publish "unhindered, unhampered -- with [server] logs" to prove that their servers were not compromised due to Shellshock.

Shellshock, also known as the Bash bug, is a quarter-century-old security flaw discovered only last month in the Bash shell, a command-line shell processor used in Linux and Unix operating systems, including Apple's Mac OS X. The bug allows cyber crooks to execute code on machines operating with Bash and take over entire machines.

WinZip, for its part, says it has "since replied to Mr. Hall directly to thank him for contacting us" and will "apply the appropriate software updates as issues are identified." Lycos declined to comment.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics