In a development that exposes grave risks of news manipulation in a time of crisis, a hacker demonstrated Tuesday that he could rewrite the text of Yahoo! News articles at will, apparently using nothing more than a web browser and an easily-obtained Internet address.
Yahoo! News, which learned of the hack from SecurityFocus, says it has closed the security hole that allowed 20-year-old hacker Adrian Lamo to access the portal’s web-based production tools Tuesday morning, and modify an August 23rd news story about Dmitry Sklyarov, a Russian computer programmer facing federal criminal charges under the controversial Digital Millennium Copyright Act (DMCA).
Sklyarov created a computer program that cracks the copy protection scheme used by Adobe Systems’ eBook software. His prosecution has come under fire by computer programmers and electronic civil libertarians who argue that the DMCA is an unconstitutional impingement on speech, and interferes with consumers’ traditional right to make personal copies of books, movies and music that they’ve purchased.Lamo tampered with Yahoo!’s copy of a Reuters story that described a delay in Sklyarov’s court proceedings, so that the text reported, incorrectly, that the Russian was facing the death penalty.The modified story warned sardonically that Sklyarov’s work raised “the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope.”
The text went on to report that Attorney General John Ashcroft held a press conference about the case before “cheering hordes”, and incorrectly quoted Ashcroft as saying, “They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law.”
Proxy problems
Yahoo! declined to comment on the specifics of the hack, but as described by Lamo, modifying the portal’s news stories didn’t require much hacking. He made the changes using an ordinary web browser, and didn’t need to do so much as enter a password.The culprit in this case was a trio of proxy web servers that bridged Yahoo!’s internal corporate network to the public Internet. By configuring a web browser to go through one of the proxies, anyone on the Internet could masquerade as a Yahoo! insider, says Lamo, winning instant trust from the company’s web-based content management system.The hacker criticized the web giant for not prioritizing security on the systems that allow editing and creation of news stories.”There are more secure parts of their network,” says Lamo. “It’s more difficult to get into their advertising reporting statistics than their news production tools.”