Panama Papers: Files available via Drupal, email information stored in WordPress

Mossack Fonseca has two main websites: its front-facing website, which runs on WordPress; and a customer portal for sharing sensitive information with customers, which runs Drupal.

Both of those sites were running outdated versions of the software and in both cases significant security holes existed that would have allowed hackers access. While no one knows for sure how the leak happened, the obsolete software may have contributed to the world’s largest data breach ever.

Drupal

One entry point is the secure portal that the company ran where it enabled customers to log in and share details of their business dealings.

That site ran Drupal version 7.23 and, as every Drupal sysadmin would be all too aware of, that version came before a highly critical security patch in version 7.32. The vulnerability that this solved was so bad that experts warned that if people had not patched their sites the day of the patch release, they should assume they had been hacked and consider a fresh install.

That security warning was issued back in October 2014. So Mossack Fonseca's recent breach of its "secure portal" - which still provides clients access to data - was running a version of Drupal that has over 23 vulnerabilities. 

The lesson of course is patch, patch, PATCH.

WordPress

WordPress is such a popular and easy to use CMS that anyone can learn how to work with it. You log into the administrator dashboard and you’re set. Creating, editing or publishing content to the web has never been easier.

But while doing that, most users never wonder how secure their website is and usually pass when plug-ins need to be updated or new versions of WordPress are available.

Mossack Fonseca's WordPress installation was three months out of date and one company, WordFence, has gone into an extensive rundown of what it believes was the entry point: an unpatched version of the Revolution Slider plugin – a plugin used to simplify website design.

Once you gain access to a WordPress website, you can view the contents of wp-config.php, which stores the WordPress database credentials in clear text.

In other words, hackers could have found their way into the system through Mossack Fonseca's website, used the database credentials and recovered email settings to access its mail server, and downloaded all the emails.

The team notes that the lawfirm's mail server was hosted at the same IP address as the WordPress server.

In Conclusion

If you can automate security notifications, you should. Manual work at any stage of a platform’s configuration, deployment, or maintenance introduces the risk of costly human errors and tribal knowledge build-up.

Security is something that is a continuous process of watchfulness and action.

You need to make sure that you manage your Drupal or WordPress security from the outset, ensuring all parts of the architecture, core, contributed and your infrastructure are implemented in a secure manner and then continue to keep that system as secure as possible by ensuring each installed piece of the system is monitored and the latest version is always applied - and as swiftly as possible.

About Lumturio

Lumturio’s update manager for Drupal and WordPress' modules and cores continuously checks for new versions of you or your client’s websites CMS (including contributed modules and themes), and alerts you when updates are available.

Our dashboard indicates and/or notifies when new releases of modules, themes or core updates are available for download. Might prove to be really useful, wouldn't you say? 

Read more stories here.