#Shellshock live hacked codeLet this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected! Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.Īs you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users’ data. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. However, the company said, although a “handful of servers” were impacted by a security flaw – and malicious code run upon them – they “were in fact not affected by Shellshock.” In a statement posted online by Yahoo CISO Alex Stamos, the company said that early on Monday it identified several servers that it had been informed were vulnerable to compromise via the Shellshock Bash bug. Understandably, Yahoo was keen to address Jonathan Hall’s claims before users were panicked by claims that “all your information with them is now in danger”. This and the fact that last year, Yahoo! rewarded a security firm’s researchers with a Yahoo t-shirt after they found cross-site scripting (XSS) bugs that could compromise *any* email account is not helping to prove the firma’s commitment with security. According to Hall, a member of Yahoo’s security response team only finally responding after he sent an email directly to CEO Marissa Mayer (which he helpfully cc’d to the New Orleans branch of the FBI): After all, Yahoo has hundreds of millions of users that could potentially be impacted.Īnd, as researcher Jonathan Hall clearly expresses, he is less than impressed by the internet giant’s response – claiming that it failed to act quickly enough after he reported the breach. The ignoring of this issue is grossly negligent and even almost criminal. I’ve attempted to email them, call them, and resorted to contacting Marissa Mayer directly via both email and Twitter, neither to which I have received a response as of yet. The FBI took the information down and went on their way. This breach affects ALL of us in one way or another, and it’s crucial that this problem be resolved with haste. #Shellshock live hacked PatchYahoo! Has been HACKED, and all your information with them is now in danger! All stemming from them not keeping up with technology and failing to patch a world-known vulnerability! In a blog post, entitled “Yahoo! Shellshocked Like Ninja Turtles!”, replete with Yahoo-style exclamation marks, Hall accused the firm of gross negligence: Yesterday, security researcher Jonathan Hall, of a company called Future South Technologies, accused Yahoo of having suffered a serious security breach via the recently discovered Shellshock vulnerability in Bash.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |