Drupal confirms credential breach following third party application vulnerability

Drupal confirms credential breach following third party application vulnerability

Hackers have hit the open source content management platform Drupal and captured nearly one million accounts.

According to a blog post by Holly Ross, executive director of the
Drupal Association, the non-profit organisation that supports the open
source CMS project, the problem was a known vulnerability in third-party
software installed on company servers. Drupal acknowledged that it had
worked with the vendor to confirm it is a known vulnerability and has
been publicly disclosed
She confirmed that the information exposed included user names, email
addresses and country information, as well as hashed passwords.
“However, we are still investigating the incident and may learn about
other types of information compromised, in which case we will notify you
accordingly,” she said.
“As a precautionary measure, we’ve reset all Drupal.org account holder
passwords and are requiring users to reset their passwords at their next
login attempt. All Drupal.org passwords are both hashed and salted,
although some older passwords on some sub-sites were not salted.”
Ross said that at the moment, Drupal had not found any additional
malicious or dangerous files, and it was making scanning a routine job
in its process.
Commenting, Chris Wysopal, CTO of Veracode, said that this is a “clear
example of how vulnerabilities in third-party applications can be
exploited by malicious hackers”.
He said: “In this case, the attack is believed to have exposed user
names, country information, email addresses and cryptographically hashed
passwords of almost a million users.
“This incident underscores the need for organisations to fully audit
and understand all of their application perimeter, including often
ignored third-party apps to safeguard the data and privacy of their
users.”
Speaking to SC Magazine about protecting the passwords by salting and
hashing, security researcher Troy Hunt said: “In short, no cryptography
is terrible – encryption only is bad. Hashing with no salting is woeful,
hashing once with a salt is almost useless and hashing about 1,000
times with a salt is where the password games now start.
He said: “Salting is a bit hard to get wrong; it’s just random bytes of
sufficient length. Both salt and the choice of modern hashing algorithm
(SHAx) are almost always not the problem, it’s the iterations. Using
PBKDF2 to increase the rounds of hashing is critical or go to something
like bcrypt, which allows for the hash workload to be exponentially
increased.”
Asked what the best ways were to manage third-party applications and
vulnerabilities inside them, Hunt said: “Third-party apps are tricky, as
short of auditing them yourself, you’re really accepting that the
developer has done a sufficient job.
“Breaches through these happen all the time though – it was the same
thing that recently caught out Adobe with its forum software. It’s the
same old sage advice really: try and use well-renowned broadly used
products (if there’s a vulnerability, hopefully someone else will find
it first) and definitely keep them up to date (how often do we see
unpatched versions where risks were fixed years ago?).”
Luis Corrons, technical director of PandaLabs, added that these days,
most infections come from vulnerabilities, and managing all patches for
all software applications used in a business is one of the biggest
challenges that IT departments have to face nowadays.
He said: “Now with all these vulnerabilities, plus the ‘bring your own
device’ phenomenon, the only way a company can deal with it is having
some solution that allows to have a real control over all the devices
that connect to your network, what software they are running, automate
the deployment of updates and patches for software installed, etc.”

Add a Comment