Amnesty nobs Plone CMS bug
A hacker is claiming to have breached the FBI’s content management system, dumping email addresses and SHA1 encrypted passwords with salts online.
The hacker using the handle (@cyberzeist) claims to have breached the Plone CMS using a zero day flaw allegedly for sale on an unnamed dark web site.
The Register has contacted the FBI to confirm the allegations. It was not immediately available for comment, however an operative was aware of the claimed incident.
Cyberzeist claims to have conducted the hack last month and has posted to Twitter what they claim are screen captures showing the FBI patching against the vulnerability, which appeared to permit public access.
The hacker dumped the 155 purported stolen credentials to online clipboard pastebin, claiming a vulnerability resides in a Plone Python module. They said the websites of the European Union Agency for Network and Information Security and the National Intellectual Property Rights Coordination Center are also vulnerable.
Cyberzeist also claimed the FBI contacted the hacker requesting a copy of the stolen credentials, which they declined to provide.
The hacker reckoned the CMS was hosted on a virtual machine running a custom FreeBSD. They said they will tweet the zero day flaw once it is no longer for sale.
FBI trying to patch-up their Plone CMS #0day at https://t.co/IRhqdQjNbp, too late!! #ComingSoon #NewYearsEve pic.twitter.com/u7KOXNO3qV
— CyberZeist (@cyberzeist2) December 31, 2016
The FBI is a confirmed user of the Plone CMS, as is Amnesty International.
The latter organisation acknowledged a warning from Cyberzeist that its CMS was exposed.
The hacker claimed the FBI’s site was offline on New Year’s Eve, but none of the dozen WayBackMachine site captures of the FBI’s homepage on 31 December and 1 January indicated it was unavailable. ®
Sponsored: Want to know more about Privileged Access Management? Visit The Register’s hub