Over the past few days, hackers have compromised at least 12 million websites that have been using Drupal software. In a public service announcement Drupal said attackers had taken advantage of a bug in its widely used software.
The websites use Drupal software to manage web video, text, images and content.
As part of the announcement, Drupal issued a security warning to those users who failed to apply a patch for a bug that was discovered recently and said the sites can ‘assume’ that they were hacked.
Drupal also stated automated attacks have taken advantage of the bug, which allows attackers to take complete control of the websites.
In the highly critical announcement, the security team of Drupal stated that all those who failed to take any action ‘ . . within seven hours of the bug being discovered on October 15 . . .’ can take for granted that their website has been compromised.
The security team also said those who are yet to update the software should do so immediately.
The team further said that by simply updating software one may not be able to remove any loopholes that attackers were able to insert once they were able to access the websites.
They also warned that websites must investigate to see if the hackers had indeed stolen any data.
In its notice, the Drupal security team said hackers could have stolen data from the websites to use it maliciously. The team also said there may not be any trace of the hacking attack.
The security team gave a link where it extended advice to help websites recover from being compromised. The help link is: https://www.drupal.org/node/2365547.
Security analyst Mark Stockley of security firm Sophos said Drupal’s warning came as a ‘shock’.
Stockley said the bug, which attacked Drupal software version 7, has put hackers in an advantageous position. With the help of the bug, the hackers can control a server or even seed a website with malware that could trap visitors.
The analyst estimated that at least 5.1 percent of over a billion websites use Drupal 7 software to handle their content. That means as many as 12 million websites need patching.
Stockley said Drupal should not depend on its users to take care of the patches as most of the site owners may not have received its announcement. Also, most of those who got the announcement may well be taking it easy.
He, therefore, urged Drupal to install an automatic updater that by default makes security updates.
During the past one week, several hacking attacks had targeted users like CurrentC, the MCX mobile payment app. Hackers, last week, stole email addresses from CurrentC.
Web security of several online databases is unable to hold up to the ingenuity and skill of the hackers. With the amount of online user data increasing manifold every year, analysts feel there is an urgent need to strengthen web security.
Chief executive officer of High-Tech Bridge, Ilia Kolochenko, had praised Drupal for building awareness among people on the major threat that they were facing.
