The Plone Security Team released an advisory announcing some previously planned updates. In the process, it refuted hacker CyberZeist’s claim of compromising the FBI’s website (fbi.gov) and publicly leaking personal account information of several FBI agents.
Earlier, CyberZeist tweeted multiple screenshots showing unauthorized access to server and database files using a local file inclusion vulnerability in its Python plugins.
The hacker also claimed that the FBI’s website is hosted on a virtual machine using a customized older version of FreeBSD.
The hacker sent a follow-up tweet saying access was gained by exploiting a Plone CMS zero-day exploit, and that they leaked personal data of 155 FBI officials to Pastebin, including their names, passwords and email accounts. The exploit is up for sale on the online black market, CyberZeist said.
In its advisory, the Plone Security Team said it will release a security update on January 17 to patch various vulnerabilities. Throwing cold water on CyberZeist’s claims, they said there’s no evidence that the issues to be fixed are being actively exploited. Matthew Wilkes of the Plone Security Team told The Hacker News:
The issue we are fixing in no way resembles CyberZeist’s claims, neither do the issues we fixed last month. The aim of releasing information from such a hack is to convince people that you’ve indeed hacked the target. Claims of hacks that only give information that is publicly available (such as open-source code) or impossible to verify (such as hashed passwords) are common signs of a hoax.
The Plone security team isn’t alone in feeling this was a hoax.
Alexandru Ghica, Eau de Web – maintainer of an EU website CyberZeist also claimed to have hacked – told The Hacker News: “I can say for sure that at least some of the data posted as proof is 100% fake. The hoax was a bit elaborate indeed, but that’s it.”