After security researchers revealed that Yahoo's servers may have suffered from a Shellshock-related attack, Yahoo's chief information security officer (CISO) Alex Stamos published a post on Hacker News to offer some clarifications. According to Stamos, the attack did not result in the disclosure of any personal information, user IDs, or passwords belonging to Yahoo users. However, Stamos did point out that the attack targeted three API servers. According to Stamos' post:
Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.....Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users' data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data.
The targeting of API servers is a reminder to all that as the number of network APIs proliferate, so too will the size of the Internet's vulnerable surface area. APIs tend to get less scrutiny than do human-facing interfaces when it comes to locking down systems. Oversights like this came to the forefront after naked pictures of various celebrities were allegedly retrieved by hackers who leveraged an undocumented, but improperly secured API to Apple's servers. ProgrammableWeb recently covered the issue and the urgency of securing not just your APIs, but also all of their adjacencies in a post headlined The Naked Truth About Internet Security.