Mossak Fonseca Case and Drupal, Hacked?

Disclaimer: This post is based on assumptions and comments made in online forums. None of the information provided should be considered factual. The goal is to highlight the importance of the points discussed below.

Context: The Mossack Fonseca Case

If you’re unfamiliar with the Mossack Fonseca case, also known as the "Panama Papers," you can read more about it in this link (in Spanish).

In summary, the Panama Papers is the largest data breach in history, involving over 4.8 million emails, along with other documents. It is believed that the Mossack Fonseca emails were obtained through a Wordpress site, and that access to the documents was gained via a Drupal portal. Reference here.

In this post, we’ll focus on what could have happened with Drupal.

The Mossfon Client Information Portal

Mossack Fonseca had a portal known as the Mossfon Client Information Portal, which allowed users to access their corporate information securely and receive real-time updates on ongoing requests. Here's a screenshot of the portal:

At the time of the alleged breach, the portal was running Drupal version 7.23. This version already had 23 reported vulnerabilities, and currently, the number stands at 31 vulnerabilities. You can check the details here: Drupal 7.23 Vulnerabilities. These are just the core vulnerabilities, excluding any found in contributed modules.

It was easy to determine the version of Drupal because the site’s changelog was publicly accessible at the following link: https://portal.mossfon.com/CHANGELOG.txt, which is now returning a "Forbidden" error. Below is a screenshot before it was blocked:

Additionally, other files, such as INSTALL.txt, were also publicly accessible: https://portal.mossfon.com/INSTALL.txt. These are basic files that come with any Drupal installation, and they should either be removed or properly protected. For these reasons, it is very likely that Drupal was one of the points of entry for this major breach.

What Can You Do if You Use Drupal or Other Platforms in Your Organization?

Software vulnerabilities are common across all types of platforms—operating systems, web platforms, mobile apps, etc. Programmers are not perfect, and flaws can appear in any software over time. A similar breach occurred with the iCloud platform, where personal photos of celebrities were stolen.

Drupal, however, is a platform backed by a dedicated community focused on security. The Drupal Security Team works to address and resolve security issues. Recently, Drupal.org introduced a feature where a shield icon appears next to contributed modules that have been inspected and vetted by the security team. Here’s an example from the Panels project page: Panels on Drupal.org.

Currently, Drupal version 7 has full security coverage from the Drupal Security Team, as shown below:

What Could Mossack Fonseca Have Done to Improve Security?

If Mossack Fonseca had taken the following actions, they might have prevented or mitigated the breach:

• Keep Drupal Core and Contributed Modules Updated: It’s crucial to install security updates as soon as they are released. Even if a new version doesn’t bring major features, updates often contain critical security patches that can prevent hackers from exploiting known vulnerabilities.
• Remove or Protect Files Revealing Platform Information: Files such as changelog.txt, INSTALL.txt, and HTTP response headers that reveal platform details should never be left publicly accessible. This information can give hackers valuable insights into the platform version and potential vulnerabilities.
• Use HTTPS for Login Pages: Any site that handles user logins should require HTTPS. This ensures that login credentials are transmitted securely, encrypted from end to end.

Basic Security Tips for Your Drupal Site

While the suggestions above are basic, there are many other measures you can take to secure your Drupal site. If you have questions or need more information about website security, please contact us.

We recommend you this video