In early April 2016, reports emerged detailing history’s largest data leak, the Panama Papers.
This incredible leak of sensitive data concerning both Mossack Fonseca and their clients contained 2.6 TB of data which included 11.5 million documents relating to over 200,000 companies and exposed the hidden fortunes of politicians, dictators and the super-rich. In comparison to understand the size and significance of this leak, the 2010 Wikileaks from 2010 which contained a mere 1.7GB of data.
How did this happen? 2.6 TB of data is an enormous amount of data to lose, especially for a law firm that specializes in hiding the wealth of some of most secretive and wealthy dictators and politicians that walk the Earth.
Theories attempting to pinpoint the source of this data breach have begun to emerge online with the focus on unpatched content management systems (CMSes) which would have exposed Mossack Fonseca’s private data.
Unfortunately, this isn’t surprising.
When the research labs here at Checkmarx ran numerous security scans against the source code found in the top WordPress plugins, we found that over 20% of the 50 most popular plugins were vulnerable to various web attacks which included SQL injections, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) among others.
“Twenty five percent of all websites on the net use WordPress as a gateway into their organizations and it’s alarming to see many of them using plugins that can expose their sensitive data through vulnerabilities such as SQL injections and XSS which could have been addressed by proper code analysis prior to implementation, ” says Amit Ashbel, Checkmarx’s Cybersecurity Evangelist.
“When implementing any CMS plugin, it’s important to always use the latest version,” adds Ashbel, “additionally, you should also review the latest vulnerabilities and scan the code prior to implementation to be sure you’re not exposing yourself to potential threats.”
If you are concerned that there might be vulnerabilities in your WordPress plugins, or themes, be sure to check out the WordPress Vulnerability Database.
So, How Could The Hackers Have Gotten In?
Mossack Fonseca was operating with serious vulnerabilities in both their front-facing WordPress site and their customer portal for exchanging sensitive materials with their customers which ran on an outdated version of Drupal.
The suspected point of entry for the hackers to a treasure trove of Mossack Fonseca emails and sensitive customer data was an unpatched version of a WordPress design plugin called the Revolution Slider since the version they were using had a major exploit exposed back in 2014. After gaining access to the web server, hackers could have been able to gain access to the Mossack Fonseca mail server since it was also hosted on the WordPress server.
In addition to the unpatched WordPress plugin, the secure customer portal for Mossack Fonseca was using Drupal version 7.23 which did not include the critical security patch that was issued in version 7.32. Websites operating without this updated patch were so vulnerable to attack that the official Drupal blog stated that any site that hadn’t updated to Drupal 7.32 hours after the patch was released, should assume that their sites were hacked:
“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC , that is 7 hours after the announcement.”
This announcement came in October 2014, which means that the Mossack Fonseca customer portal was operating while fully vulnerable for well over a year.
Unlike the WordPress plugin, it would have taken more than just a click to update to the latest build of Drupal, but for a company that prides itself on confidentiality and security, Mossack Fonseca should have been much more aware of the critical security vulnerabilities that were left wide open to exploit.
WordPress Ups Its Encryption Efforts
Just over a week after major news outlets started publishing the Panama Papers, WordPress announced that they were adding free HTTPS for all of the custom domains being hosted on WordPress.com to protect their users against account hijacking, cookie theft, malicious surveillance and other security vulnerabilities. The implementation of HTTPS encryption for the million-plus custom domains hosted on WordPress is free and automatic.
Check out 7 Lessons To Take Away from the Drupal SQL Injection Flaw to understand more about the threats posed by websites running pre-7.32 versions of Drupal and if you’d like to learn how you can tackle SQL injections using Source Code Analysis be sure to read our SQL injection tutorial.