Drupal confirms credential breach following third party application vulnerability

Hackers have hit the open source content management platform Drupal and captured nearly one million accounts.

According to a blog post by Holly Ross, executive director of the Drupal Association, the non-profit organisation that supports the open source CMS project, the problem was a known vulnerability in third-party software installed on company servers. Drupal acknowledged that it had worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed

She confirmed that the information exposed included user names, email addresses and country information, as well as hashed passwords.

“However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly,” she said.

“As a precautionary measure, we've reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt. All Drupal.org passwords are both hashed and salted, although some older passwords on some sub-sites were not salted.”

Ross said that at the moment, Drupal had not found any additional malicious or dangerous files, and it was making scanning a routine job in its process.

Commenting, Chris Wysopal, CTO of Veracode, said that this is a "clear example of how vulnerabilities in third-party applications can be exploited by malicious hackers".

He said: “In this case, the attack is believed to have exposed user names, country information, email addresses and cryptographically hashed passwords of almost a million users.

“This incident underscores the need for organisations to fully audit and understand all of their application perimeter, including often ignored third-party apps to safeguard the data and privacy of their users.”

Speaking to SC Magazine about protecting the passwords by salting and hashing, security researcher Troy Hunt said: “In short, no cryptography is terrible - encryption only is bad. Hashing with no salting is woeful, hashing once with a salt is almost useless and hashing about 1,000 times with a salt is where the password games now start.

He said: “Salting is a bit hard to get wrong; it's just random bytes of sufficient length. Both salt and the choice of modern hashing algorithm (SHAx) are almost always not the problem, it's the iterations. Using PBKDF2 to increase the rounds of hashing is critical or go to something like bcrypt, which allows for the hash workload to be exponentially increased.”

Asked what the best ways were to manage third-party applications and vulnerabilities inside them, Hunt said: “Third-party apps are tricky, as short of auditing them yourself, you're really accepting that the developer has done a sufficient job.

“Breaches through these happen all the time though – it was the same thing that recently caught out Adobe with its forum software. It's the same old sage advice really: try and use well-renowned broadly used products (if there's a vulnerability, hopefully someone else will find it first) and definitely keep them up to date (how often do we see unpatched versions where risks were fixed years ago?).”

Luis Corrons, technical director of PandaLabs, added that these days, most infections come from vulnerabilities, and managing all patches for all software applications used in a business is one of the biggest challenges that IT departments have to face nowadays.

He said: “Now with all these vulnerabilities, plus the ‘bring your own device' phenomenon, the only way a company can deal with it is having some solution that allows to have a real control over all the devices that connect to your network, what software they are running, automate the deployment of updates and patches for software installed, etc.”