Home Yahoo Denies Shellshock Hack, Blames Breach On Copycat Code

Yahoo Denies Shellshock Hack, Blames Breach On Copycat Code

Yahoo said that hackers who accessed three of its servers did not use the bash “Shellshock” bug to gain access, rescinding the company’s earlier statement.

Yahoo’s Chief Information Security Officer Alex Stamos summarized the situation in a Hacker News post Monday:

“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.”

After taking a closer look, Yahoo said the hackers wrote malicious code that impersonated Yahoo’s own software in order to enter the system. While Stamos believes the hackers were looking for Shellshock-vulnerable servers, it was their mimicry, not the bug, that allowed them to gain access to the system.

See also: Yahoo Games Hit By Shellshock Bug, Researcher Reports

Any sort of hack is serious, but Stamos said that the hackers’ attack was less serious than if they’d used Shellshock, since Yahoo’s user data appears to be safe.

“The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected.”

Stamos also defended against security researcher Jonathan Hall’s allegations that Yahoo refused to compensate him for discovering the Yahoo compromise. Hall, who first documented the hack on his website, later suggested on Reddit that Yahoo was ungrateful for the assistance, of which it has a history.

“Yahoo takes external security reports seriously and we strive to respond immediately to credible tips,” said Stamos. “We monitor our Bug Bounty and security aliases 24×7, and our records show no attempt by this researcher to contact us using those means.”

Hall is sticking to his guns, however, asserting the hack is indeed due to Shellshock. His latest post, “Is Alex Stamos full of crap, or just the victim of an honest mistake? Either way, your data is NOT safe,” contains pasted code of Hall continuing to allegedly compromise the servers using Shellshock. 

See also: Everything You Need To Know About The Shellshock Bug

“I am flat out accusing Stamos and Yahoo of being dishonest and inaccurate in their reports of this breach, as well as being grossly negligent to their users and shareholders by releasing inaccurate and misleading information,” Hall wrote.

Photo of Alex Stamos by Dave Maass

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.