Yahoo says attack wasn't Shellshock

Yahoo says no customer data was affected when a "handful" of servers were exploited by what it initially thought was the Shellshock bug. WinZip and Lycos were also reportedly hit by the widespread vulnerability.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

The Shellshock bug could be used to access sensitive information or gain control of a computer. CNET

Yahoo servers were infiltrated in the past two weeks by hackers who exploited the widespread Shellshock vulnerability, according to an independent security researcher. Yahoo said on Monday that no user data was at risk.

The Internet addresses of the breached Yahoo servers indicate that one was a Yahoo Sports server, according to a report by Future South Technologies president Jonathan Hall published late Sunday night. The report also said that Lycos, a search engine and portal dating back to 1994, and WinZip, a file-compression tool, were vulnerable to the Shellshock bug.

Shellshock, also known as the Bash bug, is a decades-old security hole discovered on September 24 that opens the vast majority of computers that run Linux and Unix -- including Apple's Mac OS X -- to hackers. Hackers can easily exploit the flaw to run potentially harmful code inside a bash shell, a simple interface commonly used to tell the computer what to do. Potentially, the Shellshock bug could be used to access sensitive information or gain control of the computer.

Yahoo originally confirmed to CNET on Monday afternoon that it identified "a handful" of its Web servers that had been hacked with the Shellshock bug. However, Yahoo's chief information security officer Alex Stamos later corrected that statement.

"Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw," Stamos wrote in a blog post. "After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock."

The culprit, Stamos said, was a different vulnerability that was specific to a debugging script Yahoo was running at the time of the attacks. Stamos reiterated that no customer data was at risk during the attack.

Hall, who said in his report that 10 years ago he had been "accused of computer crimes" and had run-ins with the Federal Bureau of Investigation, has notified the companies affected and the FBI.

"Though the FBI seemed intrigued by this, in my opinion, they aren't moving with any form of haste," he wrote. "And every minute that goes by jeopardizes the safety of yours and my personal information, financial data and much much more."

A Yahoo spokeswoman described the breach to CNET as "isolated" and said, "The servers did not house any user information."

"Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data," Yahoo said in a prepared statement.

Despite Yahoo's fixes, Hall was not impressed with Yahoo's response.

"You can't just assume that no user data was affected," he said, and criticized the lack of specifics in the Yahoo statement. "Did you shut down three servers, or did you isolate a handful? Once you're in one [server], it's not that hard to start hopping through one after another."

After Stamos updated Yahoo's take on the problem, Hall said that he stood by his research that identified Shellshock as the exploited vulnerability. The Yahoo attack was aimed at what essentially was a variant of Shellshock, not an unusual development with Shellshock. Apple, for example, already has had to mitigate several Shellshock-based exploits.

"It didn't follow the exact syntax and commands that [Yahoo] expected," said Hall, who admonished Yahoo for not being forthcoming with details about the attack. To prove that the attack wasn't exploiting Shellshock, "they should make public unhindered, untampered-with [server] logs. They still haven't said how many servers were actually compromised," he said.

Hall said that WinZip appeared to have fixed its Shellshock vulnerability without notifying him or making a public statement. WinZip told CNET in a statement that no user data was compromised when it was attacked, and that it will "apply the appropriate software updates as issues are identified," a WinZip spokeswoman said.

Lycos did not return a request for comment.

Hall said that for most Shellshock vulnerabilities, it shouldn't take more than 10 to 15 minutes to write and deploy a script that would fix the security hole.

Update, 5:08 p.m. PT to change headline to reflect new Yahoo statement on Shellshock and include statement from WinZip