Point, click, get root on Yahoo
A simple scan for unpublished websites within Yahoo's Internet address space gave an unemployed and bored IT worker access to several of the portal company's internal systems, including root access inside the company firewall, the worker says.
Yahoo URLs provided by the man routed to what appeared to be two unprotected Web-based remote administration consoles for company disk and file storage systems. In a written statement, Yahoo spokesperson Mary Osako acknowledged that the servers shouldn't have been exposed to the Internet, and said the company closed off access on Wednesday. "No user data was compromised," Osako wrote. "Yahoo! takes security across its network very seriously."
It's not the first time Yahoo has had to emphasize how seriously it takes security. In September 2001, hacker Adrian Lamo changed several wire service stories on Yahoo News after finding similar Web-based tools unprotected and accessible from the Internet. "It gratifies me to see they have not lost their consistency in terms of network architecture," says Lamo, who attributes the gaffes to inflexible thinking. "Companies don't look at things that are not normally classified as security vulnerabilities."
[ Read more ]
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.