Alex Stamos, the CISO of Yahoo, posted an in-response bulletin on Hacker News to clear up the rumor that this breach was caused by Shellshock.
Straight to the point, he states that it was not Shellshock that the system was vulnerable to but a separate command-injection vulnerability in their log parsing scripts. Though... Shellshock itself is a command-injection / parsing vulnerability so I'm sure many will skip over the technicalities and consider them one-in-the-same.
At first I was surprised that he came forward and gave explicit details that, well, can now be targeted against. On the other hand, I think it's pretty cool of them to be so open (either that, or they really didn't want to be the "large company" that was effected by Shellshock =P).
When Microsoft first announced Windows 8, the bashing began (as usual and expected). "Metro's bad", "no Start Menu", yada yada.
Now, fast forward to today - Windows 8.1 and still no Start Menu. Is it really that bad? How many users that are commenting here, complaining about it, have actually tried it? Does it truly hinder your ability to use the computer?
I, for one, have not tried Windows 8. Not because I don't like the idea of it but because I'm still on Windows 7 and have no need to actually upgrade yet. However, I have *seen* both PCs and laptops with Windows 8 (neither with touch screen) and it actually looked pretty good. Both switched from the Metro-giant-buttons screen over to the desktop and it looked like a normal computer with a normal version of Windows on it, nothing crazy.
The primary reason I'm not going to issue a complaint about the "no Start Menu" isn't because I haven't actually tried Windows 8 and dislike it, it's because as an actual "power user" of Windows, I don't use the Start Menu that much. WinKey+R to run whatever I need, main apps pinned to the taskbar, "My Computer" / "Documents" icons available on the desktop - everything one double-click away. My linux boxes are quite similar (except the WinKey+R, of course =P).
Are there any users out there that actually had their "experience" ruined because they didn't have a Start Menu and, if so, why / how?
The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.
The one hint it does include is a picture and in the picture you can see that the JavaScript is being inserted into the title of the listing (not sure if that's the actual vulnerability or not though). However, as a security researcher, showing a PoC against a large company requires more than a simple alert(1) and instead should use something such as alert(document.domain). The reason for document.domain is because it will show what hostname the JavaScript is executing under - which means everything when it comes to security.
If this is really an XSS hole and eBay comes back with "it's not that bad", there's a good chance that the JavaScript is executing in an iframe on a separate domain which means attackers would not have important access such as a user's cookies / etc. Instead, they'll only be able to execute arbitrary JavaScript (which is bad, but nothing worse than setting up a bad domain and using SEO tricks to drive traffic to it).
Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?
Slashdot Mirror
Alex Stamos, the CISO of Yahoo, posted an in-response bulletin on Hacker News to clear up the rumor that this breach was caused by Shellshock.
Straight to the point, he states that it was not Shellshock that the system was vulnerable to but a separate command-injection vulnerability in their log parsing scripts. Though... Shellshock itself is a command-injection / parsing vulnerability so I'm sure many will skip over the technicalities and consider them one-in-the-same.
At first I was surprised that he came forward and gave explicit details that, well, can now be targeted against. On the other hand, I think it's pretty cool of them to be so open (either that, or they really didn't want to be the "large company" that was effected by Shellshock =P).
When Microsoft first announced Windows 8, the bashing began (as usual and expected). "Metro's bad", "no Start Menu", yada yada.
Now, fast forward to today - Windows 8.1 and still no Start Menu. Is it really that bad? How many users that are commenting here, complaining about it, have actually tried it? Does it truly hinder your ability to use the computer?
I, for one, have not tried Windows 8. Not because I don't like the idea of it but because I'm still on Windows 7 and have no need to actually upgrade yet. However, I have *seen* both PCs and laptops with Windows 8 (neither with touch screen) and it actually looked pretty good. Both switched from the Metro-giant-buttons screen over to the desktop and it looked like a normal computer with a normal version of Windows on it, nothing crazy.
The primary reason I'm not going to issue a complaint about the "no Start Menu" isn't because I haven't actually tried Windows 8 and dislike it, it's because as an actual "power user" of Windows, I don't use the Start Menu that much. WinKey+R to run whatever I need, main apps pinned to the taskbar, "My Computer" / "Documents" icons available on the desktop - everything one double-click away. My linux boxes are quite similar (except the WinKey+R, of course =P).
Are there any users out there that actually had their "experience" ruined because they didn't have a Start Menu and, if so, why / how?
The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.
The one hint it does include is a picture and in the picture you can see that the JavaScript is being inserted into the title of the listing (not sure if that's the actual vulnerability or not though). However, as a security researcher, showing a PoC against a large company requires more than a simple alert(1) and instead should use something such as alert(document.domain). The reason for document.domain is because it will show what hostname the JavaScript is executing under - which means everything when it comes to security.
If this is really an XSS hole and eBay comes back with "it's not that bad", there's a good chance that the JavaScript is executing in an iframe on a separate domain which means attackers would not have important access such as a user's cookies / etc. Instead, they'll only be able to execute arbitrary JavaScript (which is bad, but nothing worse than setting up a bad domain and using SEO tricks to drive traffic to it).
Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?