Connect with us

Hi, what are you looking for?



Hackers Compromised Yahoo Servers Using Shellshock Bug

UPDATE – Yahoo!

UPDATE – Yahoo! has provided an update saying that after all, the servers in question were NOT compromised via the Shellshock vulnerability, but rather a “minor bug in a parsing script”. A story with the update is here, and the original story below.

Attackers have figured out a way to get onto some of Yahoo’s servers via the Shellshock bug over the past few weeks. This may be the first confirmed case of a major company being hit with attacks exploiting the vulnerability in bash.

At least two servers for Yahoo Games have been breached, Jonathan Hall, a security researcher and a senior engineer with Future South Technologies, wrote on Reddit. The servers were vulnerable because they were using an older version of bash, Hall said. Yahoo confirmed the breach over email, he said.

Contacted by SecurityWeek, a Yahoo spokesperson provided the following statement Monday afternoon:

A security flaw, called Shellshock, that could expose vulnerabilities in many web servers was identified on September 24. As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network. Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data. We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data.

“This breach is very serious, and jeopardizes every consumer that uses Yahoo! in any manner, from shopping to email, and even game playing,” Hall wrote in a detailed technical post on Future South Technologies website.

Hall noted that millions of people visit Yahoo Games per day, and the games themselves are Java-based. Considering that Shellshock give attackers full control of the compromised server, there are many things attackers can do, such as stealing user information, harvesting financial data, and infecting visitor computers with malware.

“Romanian hackers are currently working on further infiltrating the Yahoo! Network, and also have infiltrated Lycos and,” Hall wrote.

Advertisement. Scroll to continue reading.

Hall first came across the group when he found a server on—a “store” server which acted as a payment gateway for WinZip purchases—running an IRC DDoS bot. The script “was commented all over in Romanian and really appeared to focus more on shell interaction than DDoS capabilities,” Hall wrote. He tracked the same attacks on, and noted the attacker was forcing vulnerable servers into downloading a perl script which invoked a remote shell. The attackers were “digging through the network” and traversing the servers looking for other vulnerable servers.

“He’s actively working on rooting these boxes little by little and building up his arsenal,” Hall wrote, noting the target appeared to be Yahoo Games servers. Attackers successfully breached and Hall noted that while he has confirmed only these two servers, it was likely others have also been compromised.

Hall publicized his findings on the Future South site because the Federal Bureau of Investigation did not seem to take his findings seriously. “They really aren’t seeing the severity and danger of this situation, and really are not reacting quick enough,” he wrote.

Hall also struggled to find the proper contact at Yahoo to report the issue, emailing various addresses and even going as far as to reach out to CEO Marissa Meyer via email and Twitter.

Hall claimed in his Reddit post that his discovery of the breached servers did not quality under the company’s bounty program.

“I literally gave them two servers that were hacked, of which there were most likely more—without a doubt—considering one gets a public DNS response of a private IP address… And that doesn’t quality? What a joke,” Hall wrote.

A commenter on Reddit noted that Yahoo gave a Swiss security researcher a $25 voucher back in 2013 to redeem Yahoo-branded gear such as t-shirts and pens after he reported three serious vulnerabilities. Attackers could have exploited the bugs to take over Yahoo email accounts by tricking logged-in users into clicking on a specially crafted link.

Hall also noted that while much of the discussion on exploiting Shellshock has focused on using Web scripts, he has successfully exploited bash through OpenSSH and FTP servers “where certain conditions are met,” and even a a stratum server being run by a bitcoin mining pool. “It’s a shame I’m not malicious, I’d have hijacked a ton a bitcoins,” Hall noted.

Related: Yahoo! Changes Tune After Saying Servers Were Hacked By Shellshock

Related: ‘Shellshock’ Attacks Could Already Top 1 Billion: Report

*Updated with statement from Yahoo!

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.