securityresearcher says that some Yahoo-infrastructure was breached with shellshock what Yahoo denies

let's get through the newscycle

* Yahoo says that some sportsservers have been breached with shellshock

* Yahoo denies that it was shell shock but says that it is some other unnamed vulnerability

now the securityresearcher gets back at them (and some unnecessary accusations and wordplaying by Yahoo staff) and still maintains that it is shellshock

"The Yahoo! infiltration WAS from the “Shellshock” vulnerability, and it did NOT originate on the sports servers / API’s. How do I know? Because I sat there watching it happen, all the while trying to contact them during it – yielding zero results. This issue was not something that one would report via the bounty for bugs program, a program which – to be fully honest – I did not even know existed at the time. It was almost 5:00 am when I began trying to contact them, and the phone numbers on their whois records yielded a message indicating they were only available during office hours. There was no voicemail.  (and the article explains the rest)

but as a Yahoo user since the beginning I can be shellshocked that

* there is no permament security incident helpdesk (called cert in other firms or countries)

* or they don't know what happened or they are not telling us because either way they are now losing. If it was shellshock than they look stupid because they didn't patch the sportsservers right away (probably thinking that the chance was low that these could be breached and they preferred waiting on a general patch for the now 7 vulnerabilities or specific new patches the industry is waiting for but not getting) or it was not shellshock and than their explanation is not very convincing because if there is another bug like shellshock around everybody should know (if we know what it is and what to do about it)

* the shouting match with the security researcher is not helpful and not necessary and some of the arguments in the PR campaign online are just ridiculuous

and it confirms what we know about Yahoo since a year of two - during all those transformations and downgrades and whatever it still doesn't have a securitypolicy, a securityteam and a securitybudget that equals its importance

The comments are closed.