Yahoo confirmed that some of its servers were compromised by hackers who have exploited a loophole in a code used by the sports section of the portal. Alex Stamos, executive security company information, left a posting on the site “Hacker News” on Tuesday (7) admitting the invasion and reporting information about the investigation of the problem.
The breach was identified by security expert Jonathan Hall, president of Future Technologies. Hall performed an analysis of vulnerable servers to security failure “Shellshock”. He identified a vulnerable server WinZip software, and there found files that pointed to an invasion of Yahoo, made by the same group and using supposedly the same flaw -. Shellshock to
The Shellshock is a gap recently found that allows hackers to run commands on computers that have a vulnerable version of “Bash” software. The “Bash” is used in many Unix-based operating systems such as Linux and Mac OS X. It is very common in web servers. Once a vulnerability is found, the exploration of failure is quite simple.
Stamos denied that hackers have exploited the bug to invade Shellshock Yahoo’s servers. The code used, however, was similar. According to him, the attackers would have modified the method of exploitation to achieve circumvent protection programs such as firewalls. With this modification, the code of hackers accidentally became able to also explore an unrelated program a Yahoo loophole.
Because servers only provided data for the sports section of the portal, they had no user information, such as email, Stamos said.
The Yahoo executive also criticized Hall for not having been in contact with the company through the rewards program. In the program, the company is committed to paying researchers who find loopholes in the portal services.
In his original text, Hall said that Yahoo did not have a channel to receive this information. Since the publication of Stamos, Hall also criticized the explanations given by the company and said that, in his opinion, the data of Yahoo users are not yet safe.
No comments:
Post a Comment