Panama Papers: a huge leak caused by a WordPress plugin
The importance of installing updates as soon as they become available has once again been highlighted with the Panama Papers leak. Indeed, it has been reported that the information was not stolen by an insider, but rather obtained via a vulnerability that was not patched in time…
Panama Papers: 2.6 TB of leaked files
In the past few days, many highly placed individuals and ordinary people from all over the wold have been extremely embarrassed when it was revealed that they had set up offshore shell companies in Panama, using services of law firm Mossack Fonseca. Such companies can be used to hide money and other assets from tax authorities and other public organisations, which is why the world’s media was so shocked by the news. We will not discuss these companies’ intentions, just as we will not attempt to determine whether these practices are ethically responsible. But, as a hosting company that cares about users’ data protection, we really wanted to find out how this data leak occurred.
Such a huge leak never occurred before: 2.6 terabytes of data, made up of 11 million documents. By way of comparison: Wikileaks Cablegate hackers accessed 1.7 GB of data, Sony Pictures 230 GB and Ashley Madison 30 GB.
It was not an insider, it was a security breach
The worst thing about the Panama Papers is that the revelations are most probably not the work of an insider who released the data to reporters. Everybody seems to believe that the leak was caused by an unexplainable lack of security measures implemented by Mossack Fonseca.
Although the law firm handled very confidential information regarding its clients, all e-mail correspondence was apparently not encrypted. WordFence, a company that produces security software for WordPress websites, also noticed that the web server did not sit behind a firewall and was even on the same network as the Panama-based mail servers. In addition, the clients’ sensitive data were served via the web portal via a simple client login.
An old version of Drupal for the client portal
Forbes also noticed that the client portal ran an outdated version of Drupal (7.23), while version 8 was already available. The old version has at least 25 known vulnerabilities and, in 2014, Drupal had already issued a warning about these exploits. In other words, Mossack Fonseca’s servers have been vulnerable to attacks for more than two and a half years.
Did an outdated version of the Revolution Slider plugin open the door to hackers?
According to WordFence, it is more likely that the WordPress plugin Revolution Slider made the hack possible. In fact, due to a coding error, the plugin allows users with no privileges to run an AJAX (or dynamic browser HTTP) request that only privileged users should be able to run, since is allows any hacker to upload a file. In this video, you can see how this exploit works and how simple it is.
But there is more: a working exploit for this vulnerability in Revolution Slider was published in October 2014… and a website that is vulnerable to this exploit is quite easy to spot by setting up a robot that searches for URLs like http://mossfon.com/wp-content/plugins/revslider/release_log.txt.
Updates, Updates, Updates!
The lesson to be learned here is that it cannot be stressed enough that updates and patches are essential for all operating systems, content management systems and their add-ons or plugins that connect to the Internet. You should always install all available updates as soon as you receive a notification.
If you use Combell’s web hosting services, you are always informed about the most critical updates. Thanks to Combell Shield, all CMSs are regularly checked and customers are notified when critical bugs or issues are detected. Soon, we will also be able to install updates automatically, but more about this later. Stay tuned!