The Plone Security Team released an advisory announcing some previously planned updates. In the process, it refuted hacker CyberZeist’s claim ofcompromising the FBI’s website ( fbi.gov ) and publicly leaking personal account information of several FBI agents.
Earlier,CyberZeist tweeted multiple screenshots showingunauthorized access to server and database files using a local file inclusion vulnerability inits python plugins.
The hacker also claimedthat the FBI’s website is hosted on a virtual machine usinga customized older version of FreeBSD.
The hacker sent a follow-up tweet saying access was gained by exploiting aPlone CMS zero-day exploit, and that they leaked personal data of 155 FBI officials to Pastebin , including their names, passwords and email accounts. The exploit is up for sale onthe online black market, CyberZeist said.
In its advisory, the Plone Security Team saidit will release a security update on January 17 to patch various vulnerabilities. Throwing cold water onCyberZeist’s claims, they said there’s no evidence that the issues to be fixed are being actively exploited.Matthew Wilkes of the Plone Security Team told The Hacker News:
The issue we are fixing in no way resembles CyberZeist’s claims, neither do the issues we fixed last month. The aim of releasing information from such a hack is to convince people that you’ve indeed hacked the target. Claims of hacks that only give information that is publicly available (such as open-source code) or impossible to verify (such as hashed passwords) are common signs of a hoax.
The Plone security team isn’t alone in feeling this was a hoax.
Alexandru Ghica, Eau de Web maintainer of an EU website CyberZeist also claimed to have hacked told The Hacker News: “I can say for sure that at least some of the data posted as proof is 100% fake. The hoax was a bit elaborate indeed, but that’s it . ”