Security researcher Jonathan Hall says he has found evidence that Romanian hackers used the Shellshock bug to gain access to Yahoo servers, according to a post on his website Future South.
The Shellshock bug can be used by hackers to control servers using a vulnerability in Linux and Unix. The problem has existed for over 20 years, but it was only discovered in September. If a hacker gains access to a server using the Shellshock bug, they could see everything that is stored there.
Hall, a technology consultant and Unix expert, outlined in his post the process he used to track down the hacked Yahoo servers. Hall used a Google search to find servers that had been left vulnerable to Shellshock. He discovered that the WinZip.com domain was being used by hackers to track down other servers that could be vulnerable to the bug.
Hall went on to find that Romanian hackers had gained access to Yahoo’s servers, and were gradually exploring the network in search of the popular Yahoo! Games servers. Yahoo’s games are played by millions of people, making them a target for hackers looking to wreak havoc. Through his research, Hall discovered that two of Yahoo’s servers had been breached by hackers, and that more could have already been accessed.
Yahoo’s servers were vulnerable to attack because they were using an old version of server technology Bash. Hall emailed and tweeted Marissa Mayer, as well as a member of Yahoo’s engineering team. Eventually he received a response from Yahoo that confirmed its servers had been breached and that it was working through its incident response process. Hall claims that Yahoo refused to pay him for the discovery because it claims that it is not part of the company’s bug bounty program.
Yahoo has come under fire in the past for its response to security researchers who uncover bugs in its servers. In 2013 the CEO of a security firm was awarded a $US25 voucher for Yahoo-branded items after he uncovered three bugs in Yahoo’s online services.
Business Insider contacted Yahoo for comment on this story and will update this post when we hear back.