An anonymous hacker has pointed out an SQL injection vulnerability in the IT systems of notorious Panamanian law firm Mossack Fonseca, hinting at sub-standard IT security at the firm which likely contributed to the major data breach there last week.
The ‘underground researcher,’ who goes by the Twitter handle ‘1X0123,’ posted a screenshot to the micro-blog to prove the flaw, which appears to be in the firm’s CMS.
Mossack Fonseca shot to infamy around 10 days ago when a major cyber attack yielded 11.5 million sensitive documents belonging to the firm, relating to the dubious offshore tax affairs of many current and former world leaders.
It was speculated that the firm may have been subject to an insider leak, before it came out and admitted that the problem was definitely caused by an external hack of its email server.
An analysis by Wired last week claimed that Mossack Fonseca’s client portal runs on the open source Drupal CMS, but that the version used by the firm contained a staggering 25 vulnerabilities as it hadn’t been updated since August 2013.
That report claimed numerous other security flaws in the firm’s IT set-up, so it’s still not confirmed exactly how attackers got in.
Paul Farrington, senior solution architect at Veracode, argued that fixing SQLi flaws is straightforward in 99% of cases, but if left unchecked the repercussions could be devastating.
“All major law firms hold large amounts of sensitive information and know the risks posed by hackers, so it’s unacceptable that despite the initial breach, the company has not fully secured its systems and remains at risk from such a well-known and avoidable attack vector,” he added.
“After numerous high-profile breaches due to SQL injections in recent years and this vulnerability regularly featuring on the OWASP Top 10 list for more than a decade (the widely accepted standard for application security), it is concerning the number of companies whose apathetic approach to application security leads them to be breached using this exploit.”
Interestingly, the researcher who posted details of the SQLi flaw on Twitter appears to have been behind a series of reveals over the past few weeks, including the incident at the LA Times.