Yahoo Servers Hacked: Shellshock Me, Shellshock Me Not
Yahoo servers have been hacked and news surrounding the events are at best contradictory. According to Business Insider, a security researcher Jonathan Hall claims to have found substantial evidence that Romanian hackers have exploited Shellshock Bash bug to obtain access to Yahoo servers and describes the process he used in great detail on his website.
Previously, we have covered news about the Shellshock bug that has been discovered only in September 2014, the existed for more than 20 years. The bug allows a hacker gain access to the vulnerable server and obtain whatever information that is stored there.
Yahoo! Games
Being a technology consultant and an expert in UNIX, Hall used Google search to discover Yahoo servers that were vulnerable to Shellshock, and went as far as discovering that Romanian hackers obtained access to Yahoo servers and were secretly mining Yahoo network for user data, particularly the games servers. Since Yahoo Games are one of the most popular services of Yahoo, hackers targeted exactly these servers to mine for data. Hall discovered at least two Yahoo servers that have been breached by hackers.
No Bounty for Discovering the Hack
Hall contacted Yahoo with his discoveries. He emailed and tweeted Marissa Meyer and another member of Yahoo's team, and when he eventually got a response from the company, Yahoo confirmed the breach, but refused to pay Hall for his discovery stating that the Shellshock discovery was not covered by Yahoo bug bounty program. Notably, this is not the first time Yahoo plays dirty with the researchers who submit their bug discoveries. Business Insider quotes a 2013 case when a security firm CEO discovered three security bugs in Yahoo online services, and was granted a $25 voucher by the company as a bounty.
Yahoo Confirms Shellshock Hack
The contradiction arises when Yahoo starts backing off on the facts that it has previously acknowledged that the servers have been breached due to the Shellshock vulnerability. Previously, Bloomberg BusinessWeek published an email from Yahoo confirming that three of the company's servers have been hacked through the Shellshock vulnerability, "as soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data, "said the company's spokesperson Elisa Shyu.
Yahoo Denies Shellshock Hack
Only a day after this statement, Yahoo released another one, taking back its previous statement. Yahoo's chief information security officer, Alex Stamos released a statement last Monday, "after investigating the situation, it turns out that the servers were in fact not affected by Shellshock."
Jonathan Hall, on the other hand published another post stating that Yahoo and Stamos claims could not be trusted. "Yahoo has been hacked, and all your information with them is now in danger… The hack is stemming from Yahoo not keeping up with technology and failing to patch the world known vulnerability!"
All Is Fixed, Your Data Is Safe with Us!
Stamos claims no user data has been compromised on any of the affected servers," the flaw was specific to a small number of machines and has been fixed. At this time we have found no evidence that these attacks compromised any other machines or that any user data was affected."
Stamos admitted the hack "caused some confusion in our team" and claims these servers had been previously patched for Shellshock twice after the news of the bug became public. "We conducted a comprehensive trace of the attack code through our entire staff, which revealed the root cause which was not shellshock. Let this be a lesson to defenders and attackers alike. Just because exploit code works doesn't mean it triggered the bug you expected."
There is no definitive conclusion to this story, but Yahoo certainly doesn't look good in the light of the hack, the assertions, confirmations and the backpedaling on them, as well as the company's failure to encourage security researchers to submit their findings to Yahoo for meager or no bounty.
Sources: Business Insider, OutLaw, Mashable, Future's Youth, Yahoo, Bloomberg BusinessWeek.