YAHOO HAS COOLED REPORTS that Shellshock vulnerabilities enabled an assault on its databases.
The company did confirm that there was some kind of security breach on its servers, but took pains to clear up reports which suggested that Shellshock was the reason.
Yahoo's chief information security officer, Alex Stamos, took to the net to counter comments that began at Yahoo.
"Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock," wrote Stamos.
"Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters.
"This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs."
Stamos said that everything has been patched and that the affected servers have been isolated. He added that no user data was stored on the hardware.
"The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed," he added.
"As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public.
"Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock." µ
OK Google, explain 'imminent disappointment'
We'd have called it Bridget
Investor leverages his $1.2bn stake in PC maker
Social network handed over info in 88 per cent of cases