Did Drupal and Drupalgeddon lead to Panama Papers leaks at Mossack Fonseca?

Submitted by dryer on Tue, 04/05/2016 - 17:28
Drupal panama papers lead at mossack fonseca

Recently a giant information leak revealed a number of individuals practising tax evasion using the Panamanian company Mossack Fonseca. In wake of the stories revealing the culprits behind the evasion itself Forbes has done investigative journalism to find the reasons that lead to the leak itself.

The surprising suspect is Free Software. The championed tools that are related with freedom of speech and freedom from evil corporations are indeed used largely everywhere - for good and evil.

For the Panama leaks information suggests the first steps to the leaks being done through a vulnerability in Drupal, known as Drupalgeddon:

FORBES discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that its portal used by customers to access sensitive data was run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.
- The Amazing Flight Of The Panama Papers

While it's not clear if Drupal and Drupalgeddon are the reason behind the leak, the fact is that there are likely thousands of vulnerable installations of Drupal around the world. And it's not limited to just Drupal, but many projects that run on the web and are deployed in large numbers. Whether or not Drupal was used in the attacks does not matter - it's a larger thing than this (giant) data leak.

Drupal panama leaks version

Because WordPress and Drupal are so mundane nowadays, people easily forget that they are continuously online targets for malicious activities like data breaches and DDoS platforms. Likely in most cases there is little value in breaches to attackers, but given the ease of hacking online web services automatically - they're truly a honeypot waiting to be opened.

Since there is no clear entity to blame for Drupal or many Open Source projects, as opposed to commercial entities like Oracle or Microsoft - there is no single source to point take responsibility. In case you're interested read the Warranty section of the GPL license which Drupal uses. It's not a hidden indication that you run this at your own risk, but a clear fact. Which obviously is there to protect the developers contributing to Open Source.

Using closed source software can limit access to updates and so on, which makes Open Source stronger as there are no excuses for not doing security patches - they're available for enyone. The ignorance of not maintaining software is the same for closed and open source alike. The Mossack Fonsecal portal was still running vulnerable software on April 6th according to the CHANGELOG.txt file exposing the used Drupal version, but it is unclear if the exploit has been used:

Increased awareness of web services security matters is required from the Open Source communitities so that we will avoid large information leaks in the future. In this case the leaked data was maybe righteous, but poorly stored credit card numbers or other sensitive data stored in an unmaintained Open Source content management system like Drupal or WordPress could be a serious blow to the credibility of Open Source as a whole.

After the Drupalgeddon there was also the wide OpenSSL Heartbleed vulnerability, which again illustrates that even though the software is free - it's not free of maintenance. Like any tools, they need to be maintained or they can become vulnerable or start to malfunction. Free can be very expensive as the Mossack Fonseca case suggests.