Yahoo hack wasn’t Shellshock, company claims
Malware attack was not Shellshock, and no user data was affected, Yahoo said
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Yahoo has announced that the hackers who breached its servers this weekend did not use the Shellshock superbug as was previously reported.
In a statement, Yahoo’s head of information security Alex Stamos said that hackers had executed malware in a failed search for Shellshock vulnerabilities, and had not gained access to any user data.
The attackers, who zeroed in on the site’s Sports API servers, “mutated” the malicious code to look for access points.
Stamos reported that the original security flaw was exclusive to a small number of machines, and that it has now been fixed, with the malware added to Yahoo’s scanners.
He wrote: “We isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.
“At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected.
“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public.”
He added: “Just because exploit code works doesn’t mean it triggered the bug you expected!”
Yahoo’s investigation into server security was launched after ethical hacker Jonathan Hall discovered a group of Romanian cyber criminals were infiltrating Yahoo servers.
Hall, who published his method and his findings on his blog, also alerted Yahoo and the FBI to the hack.
Stamos also addressed criticism of Yahoo for not compensating Hall for his discovery, arguing that it was done outside of the company’s bug bounty programme.
He wrote: “Yahoo takes external security reports seriously and we strive to respond immediately to credible tips.
“Our records show no attempt by this researcher to contact us using [bug bounty] means.”
Hall also found similar security breaches in WinZip and Lycos servers. He said that WinZip confirmed the hack and thanked him for the discovery.
Hall claims that Lycos, on the other hand, denied the hack and have tried to cover it up by deleting the compromised script.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments