The spy tool that the US government ordered Yahoo to install on its systems last year at the behest of the NSA or the FBI was a "poorly designed" and "buggy" piece of malware, according to two sources closely familiar with the matter.
Last year, the US government served Yahoo with a secret order, asking the company to search within its users' emails for some targeted information, as first reported by Reuters this week. It's still unclear what was the information sought, but The New York Times, citing an anonymous official source, later reported that the government was looking for a specific digital "signature" of a "communications method used by a state-sponsored, foreign terrorist organization."
Anonymous sources told The Times that the tool was nothing more than a modified version of Yahoo's existing scanning system, which searches all email for malware, spam and images of child pornography.
But two sources familiar with the matter told Motherboard that this description is wrong, and that the tool was actually more like a "rootkit," a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.
"This backdoor was installed in a way that endangered all of Yahoo users."
The rootkit-like tool was found by Yahoo's internal security testing team during one of their checkups, according to a source.
"They assumed it was a rootkit installed by hackers," an ex-Yahoo employee, who requested anonymity to discuss sensitive issues, told Motherboard. "If it was just a slight modification to the spam and child pornography filters, the security team wouldn't have noticed and freaked out."
"It definitely contained something that did not look like anything Yahoo mail would have installed," the source added. "This backdoor was installed in a way that endangered all of Yahoo users."
Another source, who also requested anonymity and was familiar with what happened, confirmed that describing the tool as a "buggy" "rootkit" is accurate.
Yahoo declined to comment for this article, and sent the same statement it released after the news broke.
"The article is misleading," the statement read, referring to the original report by Reuters. "We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems."
The office of the Director of National Intelligence did not respond to a request for comment.
"They assumed it was a rootkit installed by hackers."
After the Yahoo security team discovered the spy tool and opened a high severity security issues within an internal tracking system, according to the source, the warning moved up the ranks. But when the head of security at the time, Alex Stamos, found out it was installed on purpose, he spoke with management; afterward, "somehow they covered it up and closed the issue fast enough that most of the [security] team didn't find out," the source said.
In other words, the incident was an "extremely well kept" secret, the source said. Stamos, a well-respected veteran of the security industry who now works at Facebook, declined to comment. Reuters reported that this incident was one of the reasons that led to his departure.
There are still many unanswered questions, such as what exactly the government was after, how long the tool was in place, and whether it was written by Yahoo developers or handed over by the government, and why Yahoo decided to keep its own security team in the dark.
"I think they were just naive," the source said. "Yahoo is a big place and many people there don't realize the security team is actually good at their job."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.