Pando

Shellshock rising: Yahoo's servers reportedly compromised by devastating bug

By Nathaniel Mott , written on October 6, 2014

From The News Desk

Yahoo's servers have been compromised by Romanian hackers looking to gain access to the popular Yahoo Games server, security researcher Jonathan Hall reported on his website, with a corresponding email purportedly from Yahoo's in-house security team confirming the breach.

The hackers are said to have gained access to Yahoo's servers through the Shellshock bug -- a vulnerability in Unix-based operating systems that can allow attackers to take total control over an affected device -- making it the first large breach revealed to be a result of the bug that some security researchers have described as being worse than the Heartbleed bug revealed in April.

Hall described the severity of the problem on his website, and he said originally that he hadn't been able to find the right person at Yahoo to whom he could send his discovery, making it hard for him to point out a serious, ongoing attack making its way through the company's servers:

I notified the FBI of the breach, and also attempted to contact Yahoo! several times. Though the FBI seemed intrigued by this, in my opinion, they aren’t moving with any form of haste. And every minute that goes by jeopardizes the safety of yours and my personal information, financial data and much much more. This is a very serious issue and a very serious manner that needs to be addressed immediately. I’ve also emailed Marissa Mayer and contacted her via twitter, both of which yielded zero results and no response. There are no publicly available contact methods for Yahoo! that have yielded any luck with trying to contact them regarding this. I also have not heard anything back on the WinZip domain, either. This is a gross negligence and complete lack of care or concern for the safety of the consumers in terms of financial information.
A member of Yahoo's security team then contacted Hall, who posted a screenshot of the email to his website as proof that Yahoo was finally taking his warnings more seriously, confirming that they had found the same indications of an attack on their servers and are going to continue their internal investigation of the attack in an effort to determine how serious it might become.

While this might be among the first attacks thought to have been made possible by Shellshock, it almost certainly won't be the last. The problem can be fixed, but it requires some amount of concern for user information, and many companies don't react to threats against customer data until a vulnerability frightens consumers into steering clear of services that might be insecure.

That's why security researchers make this information available to the public, as I discussed when two researchers used GitHub to publish the code used to take advantage of a serious, potentially-unfixable problem with USB firmware, putting many people at risk in the process:

Companies can’t be convinced to fix something that they don’t perceive as broken until their customers start to voice their concerns, and getting people to care about security issues with their tech products is like trying to make them care about climate change: most people have already decided whether they’re scared or not, and it’s hard to make people on either side of the aisle change their minds.

So you reveal the problem, make it easy for others to implement it, and hope that companies are scared enough to fix the vulnerability before too many people are harmed by your mostly-benevolent decision to make exploit public. It seemed to work in this case -- Hall didn't receive any response from Yahoo until after he published a blog post describing the attack. The problem is that it's going to take many more blog posts for Shellshock's threat to be minimized if companies only respond to the problem when some researcher or another describes their lax security to the rest of the world.

[photo by Tambako]