Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Yahoo! Changes Tune After Saying Servers Were Hacked By Shellshock

On Monday afternoon, Yahoo told SecurityWeek that servers associated with Yahoo Games had been hacked as a result of the recently disclosed “Shellshock” vulnerability, but the company now says that its original conclusion was wrong.

On Monday afternoon, Yahoo told SecurityWeek that servers associated with Yahoo Games had been hacked as a result of the recently disclosed “Shellshock” vulnerability, but the company now says that its original conclusion was wrong.

In its original statement issued Monday afternoon, the company said that on Sunday night, a “handful” of its servers were impacted but said there was no evidence of a compromise to user data.

Hours later, Yahoo! Contacted SecurityWeek with a change in tune, saying that after all, the servers in question were NOT compromised via the Shellshock vulnerability, but rather a “minor bug in a parsing script”.

“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by Shellshock. After investigating the situation fully, it turns out that the servers were in fact no affected directly by Shellshock, but by a minor bug in a parsing script,” a Yahoo! Spokesperson told SecurityWeek. “Regardless of the cause, our course of action remained the same — to isolate the servers at risk and protect our users’ data.”

The company maintained its position that no evidence has been found suggesting that user information was affected by the incident.

Yahoo! CISO, Alex Stamos provided additional details in a post to Y Combinator’s Hacker News.

“Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers,” Stamos explained. “These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.

Stamos, who became VP of Information Security and CISO at Yahoo! in March 2014, continued:

“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!

The original story with more background on the incident can he found here

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.