After initially saying an attack on its servers was carried out via Shellshock, Yahoo is changing its tune.
The company said hackers exploited a different vulnerability, claiming that no user data was compromised in the breach.
Shellshock is a recently discovered security vulnerability in Bash, a command-interpreting software used by millions of computer systems since the 1980s. In simplest terms, a hacker who exploits the Shellshock bug could execute code on systems running Bash, which is part of many Mac OS X and Unix operating systems. This could potentially, but not necessarily, lead to a hacker gaining full access to the system. It’s a serious threat to web servers.
While Yahoo released a statement to SecurityWeek on Monday, which seemed to confirm that the security flaw was indeed Shellshock, the company later backpedaled.
“After investigating the situation, it turns out that the servers were in fact not affected by Shellshock,” Alex Stamos, Yahoo’s chief information security officer, announced Monday in a statement.
The supposed use of Shellshock against Yahoo first came to light in a blog post by technology consulting firm Future South Technologies, which claimed Romania-based hackers were using Shellshock to attack Yahoo servers.
“Yahoo! has been hacked, and all your information with them is now in danger,” Jonathan Hall, a Future South security researcher, said in the post. “[The hack is] stemming from [Yahoo] not keeping up with technology and failing to patch a world-known vulnerability!”
While Hall said in another Future South post that Yahoo and Stamos’ assertions cannot be trusted, Yahoo said the incident involved hackers looking for vulnerable Shellshock servers.
Malicious code was executed on three Yahoo servers, which were then isolated, according to Stamos. These servers were used for Yahoo’s sports updates, and the company said it has taken steps to ensure the security threat won't happen again.
“At this time, we have found no evidence that these attackers compromised any other machines or that any user data was affected,” Stamos said on Monday. “This flaw was specific to a small number of machines and has been fixed.”