By Alex Stamos, Chief Information Security Officer
Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation, it turns out that the servers were in fact not affected by Shellshock.
This weekend, three of our Sports API servers had malicious code executed on them by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.
Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users’ data. The affected API servers do not store user data. At this time we have found no evidence that these attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.
Yahoo takes external security reports seriously and we run one of the most successful Bug Bounty programs in the world. We monitor our Bug Bounty and security aliases (email@example.com) 24/7 and we strive to respond immediately to credible tips.
We remain committed to providing the most secure experience possible for our users worldwide.
Wakaya – Octorals & Giants, a stunning exhibition featuring Joshua Boger’s photographs from the deep sea and RISD’s electron micrographs, is on view in the Waterman 2nd Floor Gallery from Saturday, September 27 through Friday, October 3.
Simultaneously, the Nature Lab is hosting Beneath…
“People ask me what I’m proudest of and what are my biggest frustrations as President. My biggest frustration is that this society hasn’t been willing to take some basic steps to keep guns out of the hands of people who can do damage. We’re the only developed country where this happens. And it happens weekly. Our levels of gun violence are off the charts.”—President Obama sharing the difficulties of trying to change a culture in which school shootings are commonplace. (via whitehouse)
Using periods in digital communication makes you seem overly declarative and angry it’s better to just keep the conversation going by not really using any punctuation at all unless you want to to use exclamation points to express sincerity but I dunno I’m not sure I sincerely believe this idea…