Panama Papers hack: Unpatched Word Press, Drupal bugs to blame?


The outstanding leak of files from law company Mossack Fonseca that has spun a highlight on the tax-heading off efforts via the sector’s elite was probably the result of unpatched content material control structures (CMSes).

A slew of testimonies this past week drawn from the eleven.5 million documents and a couple of.6TB of information have visible the top minister of Iceland surrender sparked calls for the resignation of a united kingdom high minister David Cameron and triggered huge embarrassment to masses of others internationally.

The information changed into assumed to have come from a hacked email server – and that may nevertheless be proper – however, an increasing number of the proof points to the fact that hackers determined their way into the law company’s gadget via unpatched versions of the not unusual WordPress and Drupal CMSes.

Mossack Fonseca has main websites: it’s the front-dealing with the internet site, which runs on WordPress, and a customer portal for sharing sensitive data with customers, which runs Drupal.

Both of these websites had been walking old variations of the software, and in each instance, full-size protection holes existed that might have allowed hackers access.

The primary internet site’s WordPress installation became 3 months obsolete. One business enterprise, Word Fence, has gone into an intensive rundown of what it believes became the entry factor: an unpatched model of the Revolution Slider plugin – a plugin used to simplify website design.
Panama Papers hack: Unpatched Word Press, Drupal bugs to blame? 1Security vulnerabilities could have allowed hackers to advantage admin get admission to at the internet server. The Word Fence group notes that the regulation company’s mail server changed into hosted on the identical IP cope with as the WordPress server.

In other words, hackers should have discovered their manner into the system through Mossack Fonseca‘s website, after which assessed its mail server, downloading all the emails.


any other entry point, however, is the cozy portal that the organization ran in which it enabled customers to log in and proportion info in their enterprise dealings.

That website online ran Drupal version 7.23 and, as each Drupal sysadmin could be all too aware, that model got here earlier than a nightmare protection patch in model 7.32, which was so awful that security specialists warned that if human beings had no longer patched their sites the equal day the patch was released, they ought to expect they have been hacked and don’t forget a fresh deploy.

That security caution became issued lower back in October 2014, and so Mossack Fonseca’s “comfy portal” turned into huge open to exploitation for over a yr. it is possible that hackers should have downloaded all the documents which have been leaked through that system.

Without seeing the real files furnished to pick organizations of reporters the world over, it is going to be tough to realize exactly wherein the files had been pulled from, and the newshounds themselves have said they do not have the desire to make the one’s files without problems available because of the sizable personal info they encompass.


The lesson of the path is patch, patch, PATCH. WordPress has made massive strides in this area by bearing in mind automatic security updates and one-click plugin updates. Drupal, but nevertheless requires you to manually install updates and updating the middle Drupal software program calls for additional efforts that result in humans disposing of updates for months.

WordPress’s superior device is one of the foremost reasons why its popularity has soared within a few years, while Drupal’s has fallen.