Yahoo said that hackers who accessed three of its servers did not use the bash “Shellshock” bug to gain access, rescinding the company’s earlier statement.
“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.”
After taking a closer look, Yahoo said the hackers wrote malicious code that impersonated Yahoo’s own software in order to enter the system. While Stamos believes the hackers were looking for Shellshock-vulnerable servers, it was their mimicry, not the bug, that allowed them to gain access to the system.
Any sort of hack is serious, but Stamos said that the hackers’ attack was less serious than if they’d used Shellshock, since Yahoo’s user data appears to be safe.
“The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected.”
Stamos also defended against security researcher Jonathan Hall’s allegations that Yahoo refused to compensate him for discovering the Yahoo compromise. Hall, who first documented the hack on his website, later suggested on Reddit that Yahoo was ungrateful for the assistance, of which it has a history.
“Yahoo takes external security reports seriously and we strive to respond immediately to credible tips,” said Stamos. “We monitor our Bug Bounty and security aliases 24×7, and our records show no attempt by this researcher to contact us using those means.”
Hall is sticking to his guns, however, asserting the hack is indeed due to Shellshock. His latest post, “Is Alex Stamos full of crap, or just the victim of an honest mistake? Either way, your data is NOT safe,” contains pasted code of Hall continuing to allegedly compromise the servers using Shellshock.
“I am flat out accusing Stamos and Yahoo of being dishonest and inaccurate in their reports of this breach, as well as being grossly negligent to their users and shareholders by releasing inaccurate and misleading information,” Hall wrote.
Photo of Alex Stamos by Dave Maass