Panama Papers hack: Unpatched WordPress, Drupal bugs to blame?

The extraordinary leak of documents from law firm Mossack Fonseca that has spun a spotlight on the tax-avoiding efforts by the world's elite was likely the result of unpatched content management systems (CMSes).

A slew of stories this past week drawn from the 11.5 million documents and 2.6TB of data have seen the prime minister of Iceland resign, sparked calls for the resignation of UK prime minister David Cameron, and caused significant embarrassment to hundreds of others across the world.

The information was assumed to have come from a hacked email server – and that may still be true – but increasingly the evidence points to the fact that hackers found their way into the law firm's system through unpatched versions of the common WordPress and Drupal CMSes.

Mossack Fonseca has two main websites: its front-facing website, which runs on WordPress; and a customer portal for sharing sensitive information with customers, which runs Drupal.

Both of those sites were running outdated versions of the software and in both cases significant security holes existed that would have allowed hackers access.

The main website's WordPress installation was three months out of date and one company, WordFence, has gone into an extensive rundown of what it believes was the entry point: an unpatched version of the Revolution Slider plugin – a plugin used to simplify website design.

Security vulnerabilities would have allowed hackers to gain admin access on the web server, and the WordFence team notes that the law firm's mail server was hosted at the same IP address as the WordPress server.

In other words, hackers could have found their way into the system through Mossack Fonseca's website and then accessed its mail server, downloading all the emails.

Drupal

Another entry point, however, is the secure portal that the company ran where it enabled customers to log in and share details of their business dealings.

That site ran Drupal version 7.23 and, as every Drupal sysadmin would be all too aware, that version came before a nightmare security patch in version 7.32 which was so bad that security experts warned that if people had not patched their sites the same day the patch was released, they should assume they had been hacked and consider a fresh install.

That security warning was issued back in October 2014, and so Mossack Fonseca's "secure portal" was wide open to exploitation for over a year. It is possible that hackers could have downloaded all the files that have been leaked through that system.

Without seeing the actual documents provided to select groups of journalists across the world, it will be difficult to know exactly where the documents were pulled from, and the journalists themselves have said they do not intend to make those files readily available due to the extensive private details they include.

The lesson of course is patch, patch, PATCH. WordPress has made big strides in this area by allowing for automated security updates and one-click plugin updates. Drupal, however, still requires you to manually install updates, and updating the core Drupal software requires additional efforts that result in people putting off updates for months.

WordPress' superior system is thought to be one of the main reasons why its popularity has soared in the past few years, while Drupal's has fallen. ®