Plone dismisses claim that flaw in its CMS was used to hack FBI

The Plone security team believe reports of being hacked through a zero-day Plone exploit are false

By Lucian Constantin
Jan. 6, 2017

"It would be hard to change this behaviour and there would be no benefit of doing so," Wilkes said.

Furthermore, some screen shots posted by the hacker on Twitter suggest the attack forced the FBI website to expose portions of its source code. While this type of attack is common against PHP applications, it's not possible against Python websites that don't use the cgi-bin model of execution.

Another screen shot posted by the hacker shows information from an email that was supposedly extracted from the FBI server's mail logs.

"This appears to be his own server's logs, as although he has modified the name of the server in the log to be an FBI one, he has neglected to change the timezone reported in the emails from Indian Standard Time to Eastern Standard Time," Wilkes said.

On top of all that, CyberZeist has been suspected of faking hacks and data leaks before.

The goal of faking the compromise of, a high-profile website that's known to use Plone, could be to try and trick other hackers into paying for an exploit that doesn't exist. According to Wilkes the so-called Plone zero-day exploit is up for sale on the Tor network for 8 bitcoins -- around US$9,000.

"There is no reason to believe that his claims are genuine and we would warn all website administrators to be wary of social media users claiming to have bugs for sale," he said.

Before rumors of this vulnerability appeared, Plone had already announced an upcoming security patch scheduled to be released on Jan. 17. That fix has nothing to do with the alleged zero-day exploit and is meant to fix a "minor, low severity" security issue that does not allow for remote code execution or file inclusion, Wilkes said.

"There is no evidence that there was a targeted attack or compromise against," the FBI said in an emailed statement.

Previous Page  1  2