Point, click, get root on Yahoo
A simple scan for unpublished websites within Yahoo's Internet address space gave an unemployed and bored IT worker access to several of the portal company's internal systems, including root access inside the company firewall, the worker says.
Yahoo URLs provided by the man routed to what appeared to be two unprotected Web-based remote administration consoles for company disk and file storage systems. In a written statement, Yahoo spokesperson Mary Osako acknowledged that the servers shouldn't have been exposed to the Internet, and said the company closed off access on Wednesday. "No user data was compromised," Osako wrote. "Yahoo! takes security across its network very seriously."
It's not the first time Yahoo has had to emphasize how seriously it takes security. In September 2001, hacker Adrian Lamo changed several wire service stories on Yahoo News after finding similar Web-based tools unprotected and accessible from the Internet. "It gratifies me to see they have not lost their consistency in terms of network architecture," says Lamo, who attributes the gaffes to inflexible thinking. "Companies don't look at things that are not normally classified as security vulnerabilities."
[ Read more ]