A penetration tester has reportedly hacked Yahoo!, claiming to have gained access to website backup and database files for a dozen databases.
The hacker using the handle Virus_Hima published screenshots that showed the purported site backups for a Yahoo! finance subdomain.
The hacker claimed to have accessed the databases via a reflected cross site scripting vulnerability which he told SC was fixed by Yahoo!. He also said he discovered a SQL Injection hole.
Virus_Hima disclosed the flaws alleging that Yahoo! had ignored his vulnerability disclosure email.
Yahoo! spokesman DJ Andersoon told SC it was aware of the claims.
"We are aware of a recent online posting regarding vulnerabilities in our systems. We are investigating these claims and will work diligently to fix any vulnerabilities that are found.," Anderson said.
"At this time, we confirm that there has been no user impact associated with these claims."
The writer previously dumped 230 email addresses, names and hashed passwords extracted from an Adobe database of 150,000 records and revealed how attackers could access Yahoo! emails by stealing cookies.
"I have found tens of zero day vulnerabilities in big web sites such as Adobe, Microsoft, Yahoo!, Google, Apple, Facebook," the hacker wrote in a public clipboard document.
"Google [replied and patched quickly] but for Adobe and Yahoo they were so slow in reply … So I decided to teach both of them a hard lesson to harden [their] security procedures."
Virus_Hima denied links to the sale of the Yahoo! email exploit on criminal forums.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.