Contrary to news reports yesterday, an attack against several Yahoo servers this weekend was not related to Shellshock, according to Yahoo CISO Alex Stamos, who also says no user data was accessed during the attack. Stamos made his assertion after reports from the independent researcher Jonathan Hall that Romanian hackers had infiltrated Yahoo's network through the Bash bug vulnerability on its servers.
Though a company spokesperson did initially say Shellshock was to blame, Stamos said his team found that the incident was isolated to three Yahoo Sports servers, which attackers were probing for Shellshock vulnerabilities.
"After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock," Stamos wrote in a post to the Hacker News forum. "These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs."
According to Stamos, only three servers were affected. These servers were isolated from the network and provide live game streaming data, so no user data was impacted. The early indications that the attack came via Shellshock "caused some confusion" at first, because his team had already patched its servers with fixes for the Bash bug.
"Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack, which revealed the root cause: not Shellshock," Stamos wrote. "Let this be a lesson to defenders and attackers alike: just because exploit code works doesn't mean it triggered the bug you expected!"
For his part, though, Hall remains dubious. In a response to Stamos's post, he expressed skepticism that attackers mutated the Shellshock payload in a way that "coincidentally perfectly met the conditions" of the Yahoo monitoring script. Such an incidence would require an attacker to "hit the lottery," according to Hall.
"At this point, I'm not convinced the problem is contained, nor am I convinced the users' data is secure," he said. "The Yahoo infiltration was from the Shellshock vulnerability and it did not originate on the sports servers. How do I know? Because I sat there watching it happen."
The antagonism between Hall and Yahoo seems to have colored the entire episode. During the initial disclosure of the vulnerability, Hall claimed Yahoo was unresponsive to his communication of an issue. He ended up tweeting to Yahoo CEO Marissa Mayer and sending her an email about the issue.
Stamos says that Hall never made an attempt to contact his team through its Bug Bounty program or any of its security email accounts, which are manned around the clock. He says his team began investigating the matter within an hour of Hall's email to Mayer.
"Yahoo takes external security reports seriously and we strive to respond immediately to credible tips," Stamos said. "Our records show no attempt by this researcher to contact us using those means."
This is substantiated by Hall, who says he did not know about Yahoo's bounty program and tried to contact Yahoo through the phone number on its whois domain name lookup records.