Cambridge Analytica vulnerable to Drupalgeddon
Following the controversy of Facebook data use provided by UK firm Cambridge Analytica privacy and data security have become a hot topic in the first half of 2018. Meanwhile at the same time the widely used enterprise Content Management System Drupal has had a string of security vulnerabilities:
- Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001
- Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002
- Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003
- Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004
The Drupal security team has acted very professionally in case, making the vulnerabilities and their patching dates available well in advance of public disclosure. However, with the severity of the vulnerabilities and large numbers of abandoned Drupal installations automated botnets exploiting Drupal vulnerabilities have risen.
These botnets automatically crawl the one million+ known installations of Drupal to breach them and exploit. With timely updates and proper update procedures these can be handled. However, it seems that the Cambridge Analytica is not taking this vulnerability into account very well.
Ever since the release of the critical vulnerability release of SA-CORE-2018-002, the Drupal installations that Cambridge Analytica have vulnerable. Currently at least the following sites are all vulnerable to well known and exploited Cross Site Scripting and Remote Code Vulnerabilities:
This information comes from an insecure installation of Drupal that exposes the change log (https://cambridgeanalytica.org/core/CHANGELOG.txt) shown below:
While the public facing Drupal installations probably don't (and shouldn't) contain any critical information, it is still worrying that the company that handles sensitive data does not maintain even the basic security on it's online facilities. In addition especially with the Remote Code Execution, it is possible that competent attackers can access other systems via the compromised server.
If you have an organisation that can't even maintain a basic level of security, is this really one that is responsible enough to collect and process any sensitive information?
UPDATE: Some hours after publication of article, Cambridge Analytica responded by upgrading their installation. However, their installation has been vulnerable for MONTHS, so it is no excuse.