Egyptian hacker ViruS_HimA recently published information on a series of Yahoo security flaws that provided him with access to full file backups for one of Yahoo's domains, along with full access to 12 company databases.
"The hacker ... published screenshots that showed the purported site backups for a Yahoo! finance subdomain," writes CRN's Darren Pauli. "The hacker claimed to have accessed the databases via a reflected cross site scripting vulnerability which he said was fixed by Yahoo!. He also said he discovered a SQL Injection hole."
"ViruS_HimA said ... that as a professional security tester and researcher, his black-hat hacking days were behind him," writes TechNewsDaily's Ben Weitzenkorn. "Whenever he finds vulnerabilities he reports them straight to the vendor, he said. ... [Yahoo's] alleged non-response prompted ViruS_HimA to go public with the data breach, which, he claimed, gave him access to a 'full file backup,' access to 12 Yahoo databases and the ability to exploit a cross-site scripting flaw. If ViruS_HimA is to be taken at his word, Yahoo's customers are extremely lucky. Had a cyberthief gone that deep into Yahoo's digital bowels, he would have had access to very sensitive user data that may have included email address and passwords as well as bank card information."
"Yahoo is investigating the claims," writes The Next Web's Emil Protalinski. "The company says it has no reason to believe users have been affected at this time. 'Thanks for contacting us regarding this matter,' a Yahoo spokesperson said in a statement. 'At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We are aware of a recent online posting regarding vulnerabilities in our systems. We are investigating these claims and will work diligently to fix any vulnerabilities that are found. At this time, we confirm that there has been no user impact associated with these claims.'"