If true, it may be the first confirmed exploitation of the Shellshock vulnerability, as at least two Yahoo Games servers have been breached due to an outdated bash version.
“This breach is very serious, and jeopardizes every consumer that uses Yahoo! in any manner, from shopping to email, and even game playing,” said Jonathan Hall of Future South Technologies.Â “Iâ€™ve notified both Yahoo! and the FBI New Orleans field office of the infiltration, but in my eyes, they really arenâ€™t seeing the severity and danger of this situation, and really are not reacting quick enough.”
Romanian hackers seem to be the perpetrators to blame for infiltrating Yahoo’s servers, as they were “working on further infiltrating the Yahoo! Network.”
The two Yahoo servers found by Hall compromised are “dip4.gq1.yahoo.com” and “api118.sports.gq1.yahoo.com” while he didn’t rule out others being compromised.
At first, Yahoo responded that, as soon as it became aware of the Shellshock bug, it began patching its systems and started closely monitoring its networks.
“Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data,” a Yahoo spokesperson told Security Week.
Later, Yahoo CISO Alex Stamos stated that three servers of Yahooâ€™s Sports API had â€œmalicious code executed on themâ€ targeting possibly Shellshock-vulnerable servers.
â€œThese attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters,â€ Stamos said. â€œThis mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.”
Yahooâ€™s servers were only used to serve live game streaming on Yahooâ€™s Sports front-end and had no data stored on them. Yet we can be certain of one thing; Shellshock or no Shellshock, its servers have been compromised.