Yahoo Wasn’t Shellshocked in Server Attack, CISO Claims

Yahoo has claimed that several of its servers which came under attack over the weekend were not affected by Shellshock as at first thought, but a similar bug.

The firm’s CISO, Alex Stamos, took to Hacker News late on Monday to “clear up some misconceptions.”

“Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters,” he explained.

“This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.”

Said servers stream live game data to Yahoo Sports so don’t store any user data, and there’s no evidence of other machines having been compromised, he added.

“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public,” said Stamos.

“Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!”

Stamos was also at pains to point out that the researcher who brought the original problem to the attention of Yahoo didn’t use the official Bug Bounty channels but instead emailed and tweeted CEO Marissa Meyer.

That man was Jonathan Hall, president of consultancy Future South Technologies, who claimed Yahoo, Lycos and WinZip were being attacked with malicious code designed to exploit the Shellshock vulnerability – possibly by Romanian hackers.

Yahoo has now fixed the “small number” of machines that were affected, Stamos claimed.

What’s Hot on Infosecurity Magazine?