Panama Papers Mass Dump - Wordpress implicated

[drmike]

So maybe you live under a rock and avoid news sites, congrats on being a rare creature and happy day to enjoy that quiet by the stream.


Rest of us have been snorting as the Panama Papers hack job matures and controlled media IV drips bits and pieces (even though they've had the data for a year or three).  Terabytes of data on Panamian offshore / money laundering operations all formed by one incorporator Mossack Fonseca, a Panamanian law firm.Now one site has called out Mossack Fonseca's website security, namely really old versions of open source software.  Most notably, drumroll: Wordpress.  (But Wordpress is soooooooo secure)


Drupal and Wordpress are implicated and both were way way old and insecure versions.


... found that the firm’s WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. Since that time WordPress has had numerous critical security updates.

The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/.


source: http://wptavern.com/outdated-and-vulnerable-wordpress-and-drupal-versions-may-have-contributed-to-the-panama-papers-breach

 

[clarity]

The great thing about that article is that the creator of WordPress owns that website. He bought it a few years ago, and he pays the writers of the staff from his company, Audrey.co.


http://wptavern.com/about


When I read it, I didn't get that they had found the attack vector conclusively, but I bet that they were using the same passwords on multiple things. If their Drupal was that outdated, it would have probably been easier to get into, Drupalgeddon.

 

[DomainBop]

Rest of us have been snorting as the Panama Papers hack job matures and controlled media IV drips bits and pieces (even though they've had the data for a year or three).  Terabytes of data on Panamian offshore / money laundering operations all formed by one incorporator Mossack Fonseca, a Panamanian law firm

Wikileaks had some comments on those very controlled media IV drips, i.e. where da fark are the Murican CEOs and politicians, and an explanation of why some countries politicians and rich have been spared: ISAJ's two biggest funders are CIA front USAID and Soros' Open Society Foundations.

Now one site has called out Mossack Fonseca's website security, namely really old versions of open source software.  Most notably, drumroll: Wordpress.  

Wordpress added autoupdates in version 3.7 (and their JetPack extension recently added an option for autoupdates of plugins and themes), and yet it doesn't seem to have significantly reduced the number of sites running old versions.  A quick google search yields several large sites still running ancient version, including:


an Azerbaijan gov't site for youth groups running v3.1


 Southern Bancorp (banksouthern.com) v3.3 (with a login to their online banking on the home page of this ancient vulnerable version!).  FYI, their SSL implementation is equally horrendous and is rated F by Qualsys https://www.ssllabs.com/ssltest/analyze.html?d=banksouthern.com 


 MTA.org, " a not-for-profit member association of over 4,500 investment professionals in 85 countries, is running the outdated and vulnerable v4.2.2


the New Yorker magazine 4.3.1


 blog.eBay.com is running v4.0.10


 Wall Street Journal blogs 3.9.3


 Reuters blogs 4.2.5


  News.Microsoft.com 4.3.3


... and  the list of government, financial, legal, ecommerce, entertainment, technology, and major corporate sites, with outdated vulnerable software and substandard security practices I could name and shame goes on and on and on.  


TL;DR WordPress has been one non-stop vulnerability patchfest since it launched (and the plugin ecosystem is amateur coding hour on parade), but the humans operating the sites are an even bigger security problem than the buggy code.

 

[DedidamNET]

If you have sensitive content, why would you use wordpress, which is known to have a lot of issues? I think all of them should have used more secure platforms.

 

[Licensecart]

If you have sensitive content, why would you use wordpress, which is known to have a lot of issues? I think all of them should have used more secure platforms.

Because it's popular just like billing systems, people go for what's popular not what's securer.

 

[Hostfolks]

It wouldn't supprise me, the more users you have the bigger target you are for exploits.