Yahoo Server Hack: Shellshocked Or Not?

  /     /     /  
Publicated : 22/11/2024   Category : security


Yahoo Server Hack: Shellshocked Or Not?


Yahoo goes on the record to state that an attack over the weekend was not related to Shellshock, but an independent researcher insists the Bash bug is rearing its head on Yahoo infrastructure.



Contrary to news reports yesterday, an attack against several Yahoo servers this weekend was not related to Shellshock, according to Yahoo CISO Alex Stamos, who also says no user data was accessed during the attack. Stamos made his assertion after reports from the independent researcher Jonathan Hall that Romanian hackers had infiltrated Yahoos network through the Bash bug vulnerability on its servers.
Though a company spokesperson did initially say Shellshock was to blame, Stamos said his team found that the incident was isolated to three Yahoo Sports servers, which attackers were probing for Shellshock vulnerabilities.
After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock, Stamos wrote in a
post to the Hacker News forum
. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.
According to Stamos, only three servers were affected. These servers were isolated from the network and provide live game streaming data, so no user data was impacted. The early indications that the attack came via Shellshock caused some confusion at first, because his team had already patched its servers with fixes for the Bash bug.
Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack, which revealed the root cause: not Shellshock, Stamos wrote. Let this be a lesson to defenders and attackers alike: just because exploit code works doesnt mean it triggered the bug you expected!
For his part, though,
Hall remains dubious
. In a response to Stamoss post, he expressed skepticism that attackers mutated the Shellshock payload in a way that coincidentally perfectly met the conditions of the Yahoo monitoring script. Such an incidence would require an attacker to hit the lottery, according to Hall.
At this point, Im not convinced the problem is contained, nor am I convinced the users data is secure, he said. The Yahoo infiltration was from the Shellshock vulnerability and it did not originate on the sports servers. How do I know? Because I sat there watching it happen.
The antagonism between Hall and Yahoo seems to have colored the entire episode. During the initial disclosure of the vulnerability, Hall claimed Yahoo was unresponsive to his communication of an issue. He ended up tweeting to Yahoo CEO Marissa Mayer and sending her an email about the issue.
Stamos says that Hall never made an attempt to contact his team through its Bug Bounty program or any of its security email accounts, which are manned around the clock. He says his team began investigating the matter within an hour of Halls email to Mayer.
Yahoo takes external security reports seriously and we strive to respond immediately to credible tips, Stamos said. Our records show no attempt by this researcher to contact us using those means.
This is substantiated by Hall, who says he did not know about Yahoos bounty program and tried to contact Yahoo through the phone number on its whois domain name lookup records.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Yahoo Server Hack: Shellshocked Or Not?