Hacker nabs Yahoo! site backups

A penetration tester has reportedly hacked Yahoo!, claiming to have gained access to website backup and database files for a dozen databases.

The hacker using the handle Virus_Hima published screenshots that showed the purported site backups for a Yahoo! finance subdomain.

The hacker claimed to have accessed the databases via a reflected cross site scripting vulnerability which he told SC was fixed by Yahoo!. He also said he discovered a SQL Injection hole.

Virus_Hima disclosed the flaws alleging that Yahoo! had ignored his vulnerability disclosure email.

Yahoo! spokesman DJ Andersoon told SC it was aware of the claims.

"We are aware of a recent online posting regarding vulnerabilities in our systems.  We are investigating these claims and will work diligently to fix any vulnerabilities that are found.," Anderson said.

"At this time, we confirm that there has been no user impact associated with these claims."

The writer previously dumped 230 email addresses, names and hashed passwords extracted from an Adobe database of 150,000 records and revealed how attackers could access Yahoo! emails by stealing cookies.

"I have found tens of zero day vulnerabilities in big web sites such as Adobe, Microsoft, Yahoo!, Google, Apple, Facebook," the hacker wrote in a public clipboard document.

"Google [replied and patched quickly] but for Adobe and Yahoo they were so slow in reply … So I decided to teach both of them a hard lesson to harden [their] security procedures."

Virus_Hima denied links to the sale of the Yahoo! email exploit on criminal forums.

Copyright © SC Magazine, Australia