A hacker in Egypt has released vague details of three vulnerabilities he claims to have found within Yahoo's website, the second time in two months he's found problems in the website of a major technology company.
The hacker, who calls himself "Virus_Hima," released screenshots that he alleged proves the problems he found, one of which allowed him to access a full backup of one of Yahoo's domains. The other two problems are a cross-site scripting vulnerability and a SQL injection vulnerability, according to a post on Pastebin.
He wrote that he held off releasing data gained by exploiting the Yahoo vulnerabilities since he said he's now gained the respect of vendors following his previous hacks of Adobe, Yahoo and others. Virus_Hima alerted IDG News Service to his latest work with Yahoo, but he did not immediately answer follow-up questions via email.
In November, Virus_Hima released a batch of more than 200 email addresses he obtained from a vulnerable database belonging to Adobe Systems. He only released email addresses ending in "adobe.com," ".mil" and ".gov." Other data released included the full names, titles, organizations, email addresses, usernames and encrypted passwords of users in a variety of U.S. government agencies.
Adobe subsequently shut down Connectusers.com, which is a community forum for users of its Connect Web conferencing service.
Virus_Hima wrote that after he published the Adobe data, the company soon contacted him and said the issue would be patched. He wrote that previously companies waited up to three to four months before resolving the issues.
The hacker also wrote that he was not the person selling a cross-site scripting vulnerability on a hacker forum for US$700, which was covered by the Krebs on Security blog.
But Virus_Hima appears to be planning to take it easy for a while. "I'm not planning to do any more leaks soon." He also had a tip for software vendors: "Always be proactive, not reactive, in safeguarding your critical data."
Yahoo officials could not be immediately reached for comment.
Sign up for Computerworld eNewsletters.