Yahoo has said that it has fixed a flaw that was not the Shellshock exploit.
Following a number of stories claiming that Yahoo had suffered a number of problems, CISO Alex Stamos left a lengthy comment on The Hacker News stating that it had “isolated a handful of servers” and after investigating the situation fully, he said that the servers were not affected by Shellshock.
He said: “Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.
“Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users’ data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.”
Stamos acknowledged that the episode caused some confusion in their team, since the servers in question had been successfully patched twice immediately after the Bash issue became public. This came after Yahoo previously said that it had servers compromised by Shellshock, according to Bloomberg.
Stamos said that once it had ensured that the impacted servers were isolated from the network, the comprehensive trace of the attack code through our entire stack revealed the root cause to not be Shellshock.
He said: “Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!”
