Microsoft’s website dedicated to fighting American surveillance has been “hacked” by a spammer. According to the investigation reports, the website was still running an old and vulnerable edition of WordPress.
The website Digital Constitution, launched in middle of 2013 after the leaks from Edward Snowden initially cam out, soon turn out to be a platform of Microsoft’s business views on surveillance of government and a new concern specially for fighting a worldwide search warrant.
As reported by ZDNet, which takes a picture, “site appears to have been modified around 9:15pm ET on Wednesday.” Hacker “inserted text with keywords” for example “poker,” “casino,” “blackjack,” “roulette,” and “craps.” Also, few new webpages were “embedded to display content that inserts text from other websites within casino niche.” Digital Constitution has since shut down.
“It’s not clear who was behind the attack,” as per stated by ZDNet. It is unidentified how long ago the website was attacked to advertise internet gambling.
But, since Digital Constitution’s website was running an old edition of WordPress 4.0.5. “It seems likely that the site takeover was opportunistic work by the blackest of black-hat SEO crews simply using automated tools to scan thousands of websites for exploitable, non-updated CMS systems,” stated The Stack.
Based on the sort of material inserted into the website, it doesn’t look to be a hacking attack claimed by any specific hacker or group – possibly a scammer who is capable to abuse a vulnerability in an earlier version of the website’s software.
Some of the material had been detached, within 1 hour of the cyberattack, however some hidden pages remained.
Although Microsoft have the copyrights of the website, it also says that website development and design was completed by New Media Campaigns, a firm that states it creates website, which are “easy to update and manage.”
Since April 2015, The Tech Giant had not posted any new material on their website. On 6th of May 2015 a new version of WP 4.2.2 was released; and reflected a “major security release.” Moreover fixing 13 errors, the version addresses 2 XSS vulnerabilities:
The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it.
WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.
It is also not vibrant if other websites of Microsoft were attacked, however Ars Technica said, “It’s not unusual for hack-by-numbers exploit kits to automatically inject malicious links into vulnerable pages that when viewed by vulnerable computers, perform drive-by download attacks.”
What will be the moral of the story? Website owners using WP should consider switching on auto updates. But it is not sometimes as easy as that.
A statement from The Stack reads as, “custom plugins and custom code created by developers for the company creating the site. A CMS update on any of the major platforms can, and very often does, break critical functionality provided by such third-party code.” That means webmasters “are faced with significant re-development costs to recreate third-party functionality which WordPress updates were destined to break. Plugins and themes are in themselves suitable attack vectors for hackers, allowing exploits to occur even when an installation is up to date. But ‘core’ CMS vulnerabilities cannot be deferred or ignored.”