Web Application Security Basics – Keeping All Your Software Up To Date

What can we learn from the Mossack Fonseca hack and the Panama Papers leak? This article highlights the repercussions of ignoring one of the most basic concepts of IT and web application security; not updating your software.

One of the most basic principles of IT and web application security is to always run the latest version of the software that you use on your web server, websites and everything else that has some sort of software executed on it.

Yet sometimes the most basic principles are those that are ignored and most commonly exploited in successful hack attacks, case in point: Mossack Fonseca.

What Happened  at Mossack Fonseca and How did the Panama Papers Leak Happen?

A lot has been said on the news on how the Panama Papers leak could have had happened. Some news outlets said that the attackers gained access by exploiting a SQL Injection in a vulnerable version of WordPress, or a plugin. Some others, including security software vendors said that the attackers exploited a SSL vulnerability such as either Heartbleed, Poodle or Drown.

One thing is for sure; Mossack Fonseca were running their websites and customer portals using very old versions of WordPress, Drupal, Apache, SSL, PHP and several other components. All of these software components had known vulnerabilities. If Mossack Fonseca kept its software up to date none of this would have happened and the prime minister of Iceland would not have resigned.

Old Vulnerable Software & Components Are a Big Web Security Problem

Mossack Fonseca got all the media’s attention because many world leaders and businessmen are involved in this leak, though this is not the first time that old software was the cause of a successful hack attack.

Just last year a security research identified a vulnerability in a popular WordPress plugin called RevSlider. As per usual, the developer released a fix though thousands of WordPress websites still got hacked through this vulnerability months later. Actually, till this day there are WordPress websites being hacked through this vulnerability.

There are two reasons why so many WordPress websites are still being hacked through this vulnerability after all this time:

  1. Many WordPress website owners fail to keep their plugins up to date,
  2. The plugin was shipped as a built-in component in several popular WordPress themes, and most of the theme developers did not update their themes or alert their customers.

Lessons Learnt – Always Keep Your Software Up To Date

Both the Mossack Fonseca and the RevSlider WordPress plugin issues are a perfect example of how important it is to always keep any software you use and web components, frameworks etc up to date. That is why at Netsparker we focus on both heuristic web application security scanning and  non heuristic checks, such as checks for possible vulnerable JavaScript libraries and other known software such as WordPress and Joomla!.

Some More Food for Thought; what Could Outdated Software Lead To

Shouldn’t the Panama paper leaks have happened, there wouldn’t be a global turmoil about taxes, politicians and businessman. I am in no way justifying any of the actions such people have done. I am just highlighting the ramifications of not keeping all your software up to date. From a simple mistake of not updating WordPress, or an SSL library, to a prime minister resignation and a political crisis. And this is just the beginning.