12 Jun 2013

Unauthorized access to Drupal

Drupal is the provider of world’s one of the most powerful content management software. Drupal is an open source system known for its user-friendly attributes and strong security features. However, an unauthorized access to all information stored on Drupal server forced the provider to reset the passwords for all its accounts.

The software provider reported late on 29th May, 2013 that this breach was not caused by any software security vulnerabilities. It was rather caused by a third-party software that was installed on Drupal server infrastructure. Information that were exposed by this security breach included hashed passwords, country information, email addresses and usernames. The provider also reported that this breach did not affect any website running Drupal CMS (content management system) software but only data for user accounts stored on groups.drupal.org and Drupal.org were effected. Drupal.org is responsible for keeping records of Drupal codes and work contributed by developers. On the other hand, groups.drupal.org or Drupal Groups is a community where users plan and organize projects.

Drupal informed about this security breach on its website. Drupal Association’s Executive Director Holly Ross said that the provider has undertaken further investigation to find out if any other form of information and data has been compromised because of this security breach. Drupal reported through it FAQ section that credit card information is never stored on its site and that there are no evidences of any credit card information being compromised. The provider also mentioned that core software and contribute packages on Drupal.org have also been left untouched and unaffected by the breach as there are no signs of any modifications.

This security breach was noted during a security audit. It was found that association.drupal.org servers had a malicious file installed by a third-party application that was being used by association.drupal.org. The site (Drupal Association) was immediately shutdown by the provider in order to mitigate any security issues caused by the rogue file. The forensic evaluations team found that user account information was compromised. Drupal did not identify the third-party application.

The provider has informed all the account holders to change their passwords on Drupal.org and groups.drupal.org when they log in the next time. Proper guidelines were given on how to change the passwords. As of now Drupal has no idea of the mastermind behind this attack and it is wildly estimated that the number of effected users will be around 1 million.

Security features have been tightened by the open-source CMS provider. The group has changed the configurations of the Apache servers and is currently running anti-virus programs on a regular basis to identify malicious files uploaded to the servers of Drupal.org. The provider has also added GRSEC secure kernels to the majority of the servers.

]]>

One Comment

Comments are closed.