A security researcher has discovered that Yahoo has become a victim of the newly discovered Shellshock vulnerability (also known as bash bug) via Romanian hackers gaining access to Yahoo’s systems. There is already confirmation of the fact that Yahoo has been hacked via an email from Yahoo’s security team. This was originally submitted to Yahoo, but isn’t eligible for their bug bounty program, which for some reason doesn’t reward people for finding chinks in Yahoo’s armor for them before hackers do. This appears to be a significant flaw in Yahoo’s security policies and must be addressed by Marissa Mayer herself.
Disclosure and disclaimer: This document is being released due to several high profile companies being infiltrated using the recent Shellshock vulnerability, and what I have deemed as an improper response, or lack thereof, to resolving the issue from certain key companies contacted, as well as the FBI. Amongst the affected companies are Yahoo! and Lycos, major players and names in the technology world. This breach affects ALL of us in one way or another, and it’s crucial that this problem be resolved with haste. The FBI took the information down and went on their way. Yahoo! has not responded at all. I’ve attempted to email them, call them, and resorted to contacting Marissa Mayer directly via both email and Twitter, neither to which I have received a response as of yet. The ignoring of this issue is grossly negligent and even almost criminal. As such, I felt that for the safety of anyone using these services, it would be best to publicly disclose as much information as needed to get them moving and working towards resolving the issue before things get worse. All research and testing discussed in this paper was performed by Jonathan D. Hall of Future South Technologies.
Yahoo has been struggling to gain back trust from users after their email data breaches and the overall meltdown of the company as an internet destination for most users. Under Marissa Mayer’s rule, the company has tried to become more of a content provider rather than a search or news destination. Their most popular applications like Flickr have struggled to really retain their audiences and regain the losses to other services like 500px due to simply being too unwilling to listen to the community and simply give them what they want. Flickr was once the default destination for professional and amateur photographers and since the service’s decline tons of viable competitors have cropped up to give people what they want.
The problem here for Yahoo is that they simply are not taking security risks seriously and continually find themselves the targets of hackers. Why? Because they appear not to take security as seriously as they say they do. And Yahoo still has a fairly large user base, especially Yahoo mail, which means that they become a big juicy target for hackers that know that Yahoo is slow to adapt and secure. The security game is an ever evolving one and if your security team is not constantly working to address new threats and actively working to prevent them, then you are going to end up like Yahoo, a sitting duck and popular target.
Yahoo has said to Bloomberg that three of their servers were compromised but that no data was taken, which may still need to be evaluated if only three servers were accessed.