Romanian hackers have exploited the Shellshock vulnerability to gain access to Yahoo servers, according to Jonathan Hall of security consulting company Future South Technologies. Hall announced the hack of Yahoo, as well as Lycos and WinZip, on the Future South blog after informing the companies and the FBI.
According to a series of blog posts, Hall discovered the vulnerabilities on Saturday night, and watched overnight as the exploit expanded. Hall claims he began attempting to alert Yahoo before 5 am CST, but that it, like the other two companies, was slow to respond.
WinZip confirmed to Hall that they were hacked, while Lycos initially denied that it had been breached, and subsequently admitted the need for further testing. Yahoo confirmed that it had been breached midday on Sunday, and on Monday Yahoo CISO Alex Stamos posted a response to the incident to Hacker News.
“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock,” Stamos said. “Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users’ data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.”
Stamos also responded to allegations by Hall that Yahoo had been slow to react to the breach, saying that the affected systems had been isolated and the investigation begun within an hour of the email Hall addressed to CEO Marissa Mayer.
Hall in turn responded to Stamos, at first accusing him of giving misleading information, and then trashing Stamos’ explanation for how the breach really occurred.
“I’m not saying for a fact that more than what they are saying was compromised was,” said Hall. “But what I am saying for a fact is that there’s no way in hell they can be certain when they can’t even honestly provide a technical explanation of how the breach occurred in the first place.”
The Independent notes Yahoo’s reputation for under appreciating bug bounty hunters. Yahoo gave a $25 voucher to an ethical hacker who disclosed three bugs in Yahoo servers last year.