Skip to main content

Yahoo server breach isn’t due to Shellshock as initially thought

Yahoo has said that a small number of its servers which were breached weren't, in fact, exploited via the Shellshock (Bash) bug.

Shellshock is a gaping hole which popped up on the security radar at the end of last month, and was loudly proclaimed as worse than Heartbleed (a wide-sweeping vulnerability which caused massive waves earlier this year). It affects the shell (hence the name) of a computer, specifically the Bash component, leaving many Linux, Unix, and OS X systems open to being exploited unless they're patched.

At first Yahoo had thought a breach discovered on several of its servers was due to Shellshock, but C-Net spotted a blog post from Alex Stamos, CISO at Yahoo, which noted that it wasn't the widespread vulnerability after all.

Related: Shellshock bug is so bad it could take years to eradicate

Stamos commented: "After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock."

He explained: "Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs."

So this was an unhappy coincidence for Yahoo, basically, and of course even though it wasn't a Shellshock exploit, it was still a breach that represented a major threat. Yahoo says it isolated the affected servers, and fortunately, those servers didn't contain any user data that could be pinched.

Stamos asserted: "At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected."

Read more: Shellshock: The worst is yet to come