And every time there is a new security update you ask yourself: Should I take the time and install it or can I just hope that it will not hit me, because who would hack me?
At Amazee there’s only one answer: update and fix as fast as possible!
There’s a good (well…) example of what can happen if you don’t take your security job serious these days. The #PanamaPapers are all over the media across the globe: There’s a high chance that this data leak might have a tech aspect too, as there are strong indicators that the site security wasn’t maintained and that there are several vulnerabilities.
Currently the details of how the 2.4 TB of data exactly leaked are not public yet, but it is likely that the data might have been hacked from one of the company’s websites: https://portal.mossfon.com.
Let’s take a quick look at the source code of this site; we can see that it was built with Drupal 7.
A deeper look into other files unveils more dangerous things.
The changelog shows that the Drupal version is still 7.23; this means that it’s older than 2 years and has a very bad security hole “Drupalgeddon”. This allows anybody to inject PHP code on the website.
It’s possible that the site itself is patched for this security hole and still has the version Drupal 7.23 in the changelog.txt, but from the general (bad) state of the site we assume that this is not the case.
We might never know exactly how the data leaked, but it’s sure that it happened! Our key learning on the tech side is that security is very important and laziness can have very bad consequences.
That’s why we at Amazee Labs are using automated update tools like Drop Guard for Drupal and have weekly maintenance windows for all our servers and services.
Find the German version of this post here.