Yahoo data breach was not due to a Shellshock attack but a server flaw


Hackers aiming on exploiting the Shellshock bug discovered last week attacked Yahoo servers, but didn't need Shellshock to gain entry.

Instead the hackers were able to capitalize on a server flaw which they possibly did not even know about.

"Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw," said Alex Stamos, Yahoo chief information officer. "After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock."

Yahoo claims no user data was affected and that users should not be concerned.

"We have found no evidence that the attackers compromised any other machines or that any user data was affected," continued Stamos. "As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public,"

According to a report published late on Sunday night by Future South Technologies President Jonathan Hall, the servers affected included a Yahoo Sports server. The report also mentioned that Lycos, which is a search engine and portal first created in 1994, and WinZip were susceptible to Shellshock.

Hall noted in the report that he had been accused of computer crimes 10 years ago and even had run-ins with the Federal Bureau of Investigation. He has reportedly notified the companies involved as well as the FBI.

"Though the FBI seemed intrigued by this, in my opinion, they aren't moving with any form of haste," said Hall in the report. "And every minute that goes by jeopardizes the safety of yours and my personal information, financial data and much much more."

Despite supposed good intentions, Hall, who is not to be confused with the hackers, may have landed himself in some trouble given how he conducted his research -- he may have altered some code found on hackers' servers, which could be deemed illegal.

"There is a serious question mark over the ethics of his actions, though, as he seems to be exploiting compromised hosts to shut down the malicious scripts running on them," said security researcher Andreas Lindh. "While his intentions may be good, he is still running his code on other people's servers,"

WinZip, which is a file-compression tool, has reportedly fixed its vulnerability to Shellshock. The company said in an interview that no user data was compromised in the attack.

ⓒ 2018 All rights reserved. Do not reproduce without permission.
Real Time Analytics