Yahoo! Inc. (NASDAQ:YHOO) will no longer use the ImageMagick library due to a security breach that was disclosed by researchers. The disclosure outlined a simple way of breaking into the system resulting in information leaks and exploitation. The vulnerability of the so-called “Yahoobleed #1” (YB1) was discovered by security researcher Chris Evans.
The bug slurps other users’ personal Yahoo! Mail image attachments from Yahoo servers. However, it may have resulted from Yahoo’s failure to install a critical patch released in January 2015. Apparently, a second Yahoobleed vulnerability was quickly fixed by mageMagick developers after a private report by Evans.
Consequences of the bugs
The two bugs were a real mess according to Evans report because the attackers were able to access browser cookies, verification tokens, and private image attachments. Speaking to Ars, the research said, “ImageMagick usage is a real mess. I’m sure there are lots of sites out there which are still vulnerable to this.”
He further states that he was surprised to discover that despite the highly publicized vulnerability, some of the big Silicon Valley companies were yet to update their versions of ImageMagick. Nonetheless, the security researcher has applauded Yahoos move of stopping to use the library, which has been massive criticism for harboring significant vulnerabilities.
Bounty payment for the patched bug
Apparently, the bugs had been unpatched for close to 28 months. However, Evans says that Yahoo engineers moved with speed to fix them the moment they received his private report. He has, however, warned of a possible vulnerability of other commonly used Web services.
Earlier in the year, over 500 million user Yahoo accounts were put at risk after the stealing of vital information from them. Four Russians who are suspected to have been involved are facing theft-related charges
Meanwhile, Evans efforts of reporting and patching the ImageMagick bug have been acknowledged. He will be receiving a whopping $14,000, which he says he will donate it to a charity. In the meantime, Yahoo’s stock closed at $50.65 witnessing an increase of $0.47 or 0.94%.