The Drupal Association explained in a notice that hackers were able to get into the system via a known vulnerability inside third-party software that was installed on the Drupal.org server infrastructure. It emphasized that as such, the breach was not the result of a vulnerability within Drupal itself. “This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally,” said Drupal Association executive director Holly Ross.
The issue is significant considering its customer base: Drupal is a content management system that supports everything from personal blogs to enterprise applications, somewhat akin to WordPress. It’s used by some heavy-hitters, too: The Economist, Examiner.com and The White House number among its users.
“The Drupal attack is a clear example of how vulnerabilities in third party applications can be exploited by malicious hackers," said Chris Wysopal, CTO at Veracode, commenting to Infosecurity. "In this case, the attack is believed to have exposed user names, country information, email addresses and cryptographically hashed passwords of almost a million users. This incident underscores the need for organizations to fully audit and understand all of their application perimeter, including often ignored third-party apps to safeguard the data and privacy of their users.”
The good news is that Drupal doesn’t store credit card information, so financials are safe. But the information exposed includes usernames, email addresses and country information, as well as hashed passwords, for almost one million accounts. And, it’s a laundry list that could expand: “We are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly,” Ross added.
While it detected “unauthorized access” to the server, there’s no evidence that any information was actually stolen. Even so, as a precaution Drupal is wisely requiring all users to reset their passwords at their next login attempt.
Ross declined to name the third party responsible for the flaw, saying only that the company has worked with the software vendor to confirm the known vulnerability, which has been publicly disclosed. “We are still investigating and will share more detail when it is appropriate,” she said.
Drupal came across the vulnerability in a routine security audit. “Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files,” Ross noted. “The Drupal security team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.”
Attacks on CMS platforms are well-known, particularly against WordPress and Joomla, which have been used to spread malware or have had accounts hijacked. As more publications (and enterprises) turn to open-source solutions, it’s likely that hackers will continue to eye these platforms as an attractive target. In April, WordPress was the victim of a “brute-force” attack by a network of almost 100,000 bots looking to crack account passwords, presumably to add to the bot force.
In the aftermath of the Drupal issue, the company said that it was beefing up its security policies with a raft of changes. It for one had Open Source Lab, the group that hosts the servers for Drupal, rebuild the production, staging and development webheads for the service. Also, GRSEC secure kernels were added to most servers, and it hardened its Apache web server configurations. An anti-virus scanner was also run over file servers, and is now being run routinely to detect any malicious files being uploaded to the Drupal.org servers, it said.
It also cleaned up its infrastructure a bit, by making static archives of any site that has been “end-of-lifed,” i.e., which will not be updated in the future, and converting sites that are no longer going to receive feature or content updates to static copies to minimize maintenance. Drupal also removed old passwords on sub-sites and non-production installations.