Outdated and Vulnerable WordPress and Drupal Versions May Have Contributed to the Panama Papers Breach

photo credit: Lock - (license)
photo credit: Lock(license)

Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications.

The firm ran its unencrypted emails through an outdated (2009) version of Microsoft’s Outlook Web Access. Outdated open source software running the frontend of the firm’s websites is also now suspected to have provided a vector for the compromise.

In initial communications with German newspaper the Süddeutsche Zeitung (SZ), an anonymous source offered the data with a few conditions, saying that his/her life was in danger.

“How much data are we talking about?” the SZ asked.

“More than anything you have ever seen,” the source said.

The Panama Papers breach is the largest data leak in history by a wide margin, with 2.6 terabytes of data, 11.5 million documents, and more than 214,000 shell companies exposed.

Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak.

Forbes discovered the firm ran a three-month-old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23.

This information is partially inaccurate, however. While looking at the site today, I found that the firm’s WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. Since that time WordPress has had numerous critical security updates.

The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/.

The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn’t been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server. This includes a 2014 SQL injection vulnerability known in the Drupal community as “Drupalgeddon,” which affected every site running Drupal 7.31 or below.

Investigators have not confirmed if the open source software vulnerabilities were used to access the data, but it is certainly plausible given the severity of the vulnerabilities in both older versions of WordPress and Drupal.

“They seem to have been caught in a time warp,” Professor Alan Woodward, a computer security expert from Surrey University, told WIRED UK. “If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”

If these open source software vulnerabilities provided the access point for this massive leak, then this company’s global fiasco was entirely preventable. Although many people welcome the uncovering of corruption and dirty money transactions of famous people and world leaders, the reality is that these kinds of exploits can also be carried out on well-meaning organizations that exist to protect people’s health records, financial data, and other sensitive information.

This leak is not a measure of open source software’s reliability but rather underscores how low a priority some companies place on their tech departments and web security. With the rampant software vulnerabilities in this age, not updating software for years constitutes abject neglect of customers.

The bottom line is that software needs to be updated. This kind of routine maintenance is as foundational to a company’s business as brushing teeth or showering is for one’s health. Law firms and companies with such a lax approach to security are either ignorant or unwilling to spend the money to maintain technology that they don’t fully understand. The Panama Papers serve as a reminder that having a competent, skilled tech department is critical for any company that deals in sensitive information.

32 Comments


  1. I think that companies who run such sensitive operations would be wise to use one of the great WordPress hosting services, which also takes care of updates and hack prevention. Obviously, mixing this with very outdated Drupal (or anything else) installs isn’t the wisest of ideas.

    Report


    1. How about not placing any sensitive information on any website? I would feel pretty uncomfortable if I was asked to use WP uploader to send my passport photo and utility bills needed to open a company.

      Report


      1. I agree with you that using upload features of a well known tool like Worpdress for sensitive informations could lead to potential hacking especially if the software is not up to date.
        However, It’s probably safer and with less potential bugs using a product which exists since years than a custom made script in PHP made by a developer in 1 hour and that will break all possible security rules.

        Report


    2. Giving that data to one of those great WordPress hosting services is also a bad idea.

      Report


  2. Hahahaha. Point taken, but aren’t we glad the crooks who run and ruin the world have some gaps in their Death Stars?

    … or whose side are you on there, stormtrooper?

    Report


    1. Personally, I blame the architects that were dumb enough to leave a two meter hole in the middle of the galaxy’s ultimate weapon.

      Report


      1. *You* try getting an exhaust port for a ship the size of a small moon that small

        Report


  3. I recently wrote a blog post on what I often refer to as the culture of LAX security.

    While that post focuses on the miniscule percentage of sites running under SSL, and how to overcome historic objections SSL it reflects the greater problem of, often respected, hosts, dev/designers, and other ‘experts,’ downplaying security as less important than cost and convenience.

    Adding to the general lethargic history of the way security is deemphasized generally, it’s no surprise that we continue to witness increasing numbers of incidents of this scope.

    The point is that the open and closed source communities, and ancillary services, especially their leadership, must change the mediocre way security is approached, and how consumers are educated, if we want to break the culture of lax security.

    If interested, here is the original post: https://goo.gl/HBckBk

    Report


  4. The reality is that majority of websites are outdated with legacy technologies, vulnerable, too complicated, over-combined. From governments, big corporations, banks to hobbyist websites …

    All of these sits on the outdated hosting environments with rusted machines from the time our grandmas were young ;)
    Similar to this is the user experience. On one site I can’t change the email, on another the username or can’t simply delete my account bc. this and that … “excuse”.

    Even WPTavern does not use SSL. It is a 5 minutes job today on a modern hosting environment. Your contact form is safe the same way how it looks.

    Report


    1. +1000 (where is that reaction emoji when I need it ;) ). No point in even starting to discuss software flaws if admin access is not done over HTTPS.

      Report


  5. The problem is that as, we and by we I mean we in the WPTavern/WordPress Community, know all about updates. the Boards of Directors/the politicians don’t see why you have to pay again to “install it again” because they think once is enough. So when you ask them to pay you for maitenance/updates, they don’t see why the need “If WordPress is secure, I/We don’t need updates”.

    Things like this eventually happen.

    They worry about how things will break for clients, even though you tell them that you will do the updates at 1am-3am local time, that way the least amount of customers/residents will be on the website.

    A website is like a car, there is more costs to it that the costs of acquiring the website/car.

    Report


  6. Yet another baseless sensational headline. Just because something is not on the latest release doesn’t make it insecure, and for sure no one claimed that that was the way the documents were retrieved.

    Anyway, following the logic of the title, I can have a better sensationalist head line – “In 3 months 80% of wordpress sites will be insecure” (in 3 months version 5.5 of PHP will be EOL, and only about 16% of wordpress sites use a more current one). BTW currently it is more then 50% which are not secure.

    Report


    1. I’m agree with you: 4.1 but witch minor version?
      4.1.10 (that receive automatic update from 4.1) it’s full patched and secure even if it’s not the latest 4.4.2.
      Running “wpscan” on the website in not enought to understand the real cause of the leak.

      Report


      1. Those are just numbers. Many wordpress security issues are related to user privilege escalation and if that site did not have open user registration it would not have been effected.

        Just because there is some security issue do not mean that it can be abused. A very basic security measure in this kind of setup will be to limit access to the admin to the IP addresses of the office and then 90% of security issues can not be exploited in practice.

        Report


    2. What in the world is so sensationalist about Outdated and Vulnerable WordPress and Drupal Versions May Have Contributed to the Panama Papers Breach?

      It tells the reader that running outdated versions of Drupal and WordPress with known security holes may have led to the data breach. It’s not sensationalist, it’s a good headline and equally a good read. Why are you so damn cranky all the time?

      Report


      1. You know Jeff, you are right, but then the tittle “global warming might have contributed to….” would have been as accurate. When you say “might have” for most people it means that you have done some research and at least found hint that might support your theory. With the level of investigation done here (and I really do not expect NYT level, and happy with what I get) the only title that can be here is “the panama site ran outdated wordpress”. The hint as if it has anything to do with the hack itself is what make it overly sensational, and you really don’t need it people would have come to read in any case (except for maybe the slashdot crowd) and I am quite sure you do not get money for increased traffic, so it is totally not needed here.

        Report


  7. Wow, truly fantastic research Sarah.

    It is sad yet tell-tale how many in-house IT teams around the world have such egos that they refuse to use “real” providers and expert consultants to secure their data and infrastructure.

    On a daily basis, WordPress sites and other databases are breached at universities and companies around the world for this very reason.

    Google Apps, for example, is free for most universities, and WordPress itself is very easy to secure. But out of sheer laziness, incompetence, and ego-stroking, security is regularly ignored, resulting in mass student identity theft and corporate espionage, etc — but I guess this makes things a lot easier for the NSA and hackers, anyway…

    SSL, Disable XML-RPC, bcrypt, auto-updates are a few easy ways to immediately secure WordPress that take minutes to setup.

    Report


  8. The situation recalls the BPAS hack in 2012. Similar factors: an unknown CMS which was found to be years out of date, no security hardening despite being a public target, and an organisation using what was supposed to be a public-facing informational web site to store confidential client information. A further factor was high staff churn (e.g. there was no one working in the organisation who had been there when the web site was built) which meant no one had any idea that their data breach nightmare was building up. After the hack, BPAS received a £200,000 data protection fine on the grounds that their ignorance of their security loopholes was no excuse. Mossack Fonseca will get about as much sympathy from any Panamanian data regulators. Ultimately they hung themselves with their own rope.

    Contrast Mossack Fonseca being too lazy to update a theme, with the security precautions used by the consortium of journalists who worked on the story. http://www.wired.co.uk/news/archive/2016-04/04/panama-papers-data-leak-how-analysed-amount

    Report


  9. Maybe they forget the wp-admin log in password and username. So their wordpress are outdated. lol

    Report


    1. I would not be too surprised

      Report


  10. Awesome! Take a tiny bit of knowledge that you heard in a bar, a bunch of wild guesses, add a dose of technical ineptitude ginned up in hyperbole and then offer it all to a clueless audience. Case closed. Book ’em Danno!

    But, it doesn’t work that way, Sarah. Exchange 2010(OWA 2009) is fully supported and sufficiently current, even Exchange 2007 is. The portal correctly uses strong TLS security, and when last did you yourself encrypt an email? Never! I doubt that anyone reading this has actually used SMIME or PGP or any other end-to-end encryption of emails. The uninformed and hypocritical condescension is nauseating.

    There’s zero chance that this leak came through WordPress/Drupal on completely different and unconnected networks and it’s HIGHLY unlikely that anyone vacuumed 2.6TB of email through Outlook Web Access.

    That’s just not how any of this works. But, you got your clickbait article and a few more clueless Twitter followers, so who cares about reality, right?

    Report


    1. You definitely get the award today for most obnoxious, childish responder.
      If you can’t make your point without the personal attack, perhaps you need to think about growing up a few years before engaging with adults. Now, run along, Trump junior.

      Report


    2. Well gee sir, you’re so smart, where’s your 20 page analytical paper that explains point by point how the data breach happened since you seem to know how all of this works. Give me a break.

      Report


      1. No need to be rocket engineer here, this kind of things is almost always social engineering or insider jobs. Due to the amount of data retrieved I am very skeptical it physically could have been accomplished via the web site without being detected.

        Report


  11. What’s the issue with that version of OWA?

    AFAIK, there’s no way that this could have lead to a hack.

    Report


  12. That would require an extraordinary level of stupidty to post information like that behind nothing more than a WordPress login system.

    Report


  13. Interesting info but I think the title is baseless. There’s no evidence that their WordPress site was breached, and even if it was, it’s highly unlikely they were storing any sensitive documents on it, let alone 11.5 million.

    Report


    1. It’s not baseless and now with news that their WordPress site was running a vulnerable version of Rev Slider that allowed an attacker to easily upload and execute a remote shell, it could have led to gaining access to systems within the network.

      Also, the words “May Have Contributed” in the title are a lot different than “Contributed”. It’s called wiggle room as the story develops.

      Report

Comments are closed.