H5N1 hacker, using Twitter grip CyberZeist, has claimed to conduct hold hacked the FBI's website (fbi.gov) in addition to leaked personal draw of piece of employment organisation human relationship information of several FBI agents publically.
CyberZeist had initially exposed the flaw on 22 December, giving the FBI fourth dimension to acre the vulnerability inwards its website's code earlier making the information public.
The hacker exploited a zero-day vulnerability inwards the Plone CMS, an Open Source Content Management software used past times FBI to host its website, in addition to leaked personal information of 155 FBI officials to Pastebin, including their names, passwords, in addition to electronic mail accounts.
CyberZeist tweeted multiple screenshots every bit proof of his claims, showing his unauthorized access to server in addition to database files using a zero-day local file inclusion type vulnerability affecting its python plugins.
Hacker also establish that the FBI's website is hosted on a virtual car running a customized older version of the open-source FreeBSD operating system.
The Plone CMS is considered to last 1 of the most secure CMSes available today in addition to is used past times many major websites similar Google, in addition to major US agencies including the FBI in addition to the CIA.
CyberZeist also warned other agencies, including the European Union Agency for Network in addition to Information Security, Intellectual Property Rights Coordination Center, in addition to Amnesty International, which are currently using the Plone CMS that they besides are vulnerable to a similar attack.
The FBI government conduct hold silent to reply to the claims.
Update — Plone Security Team Says, There's No Zero-Day!
Meanwhile, Plone Security squad has released a safety advisory maxim that it volition loose a safety update on 17th Jan to its customers to "patch diverse vulnerabilities."
For right away Advisory doesn't include much technical information virtually the vulnerabilities, exactly all supported Plone versions (4.x, 5.x). Previous versions could last affected.
"The advisory information nosotros give inwards those pre-announcements is standard. In fact, the upcoming acre is to create a minor fry lawsuit alongside Zope which is neither a RCE or LFI inclusion problem."Notably, Plone Security squad has also mentioned that "there is no prove that the issues fixed hither are existence actively exploited."
"The lawsuit nosotros are fixing inwards no means resembles CyberZeist's claims, neither create the issues nosotros fixed final month." Matthew Wilkes, Plone safety team, told The Hacker News.
"The aim of releasing information from such a hack is to convince people that you've indeed hacked the target. Claims of hacks that exclusively give information that is publicly available (such every bit open-source code) or impossible to verify (such every bit hashed passwords) are mutual signs of a hoax," Matthew said.
“It is extremely tardily to mistaken a hack similar this; it takes rudimentary Photoshop skills or piece of employment of Chrome javascript developer console.“ - Nathan van Gheem, Plone safety team, told THN.Also, Mr. Alexandru Ghica, Eau de Web, the maintainer of an European Union website which hacker also claimed to conduct hold hacked says, "I tin say for sure that at to the lowest degree closed to of the information posted every bit proof is 100% fake. The hoax was a chip elaborate indeed, exactly that's it."
This is non the kickoff fourth dimension CyberZeist claimed to conduct hold hacked the FBI website. In 2011, the hacker breached the FBI website every bit a fellow member of the infamous hacker collective known every bit "Anonymous."
