On tip of a readers, yesterday we came across a new MasterCard hack, performed by Syrian Electronic Army. Hackers was able to breach MasterCard Blog (https://insights.mastercard.com) and make a new blog post on the website with title “Hacked By Syrian Electronic Army” on January 5, 2013.
For now MasterCard deleted that post, but readers can check Google cache. Today we tried to contact the hacker, but may be they are busy in Hacking Next Target , I started my investigation that how they can hack such a big economic website’s blog.
Starting from very first step, Information gathering about your target. Simple by reviewing the source code we found that MasterCard blog is using WordPress. We all know, WordPress is particular a popular attack vector for cyber criminals.
To know this, I just tried to access the readme.html file of CMS , that’s it – MasterCard #fail ! They are using an old WordPress 3.3.2 version, instead of the current version 3.5 and Proudly vulnerable to many flaws like Cross Site scripting, File upload vulnerability, Cross-site request forgery (CSRF) etc.
As far I know, There is a good Cross-site request forgery (CSRF) exploit available on internet for Wordpress 3.3.2 Cross-site request forgery, that allow attacker to add a new admin user, using bit of social engineering with administrator.
Possibly Hacker may use any one of these vulnerability to hack MasterCard blog. WordPress and its plug-ins are always primary attack vectors for many attacks. You should always be using the latest version of your software, especially if you’re a major company that is often targeted by hackers.
If you’re also not using the latest version of WordPress, you should upgrade immediately.
Read More News on – The Hacker News..
Mohit Kumar aka ‘Unix Root’ is Founder and Editor-in-chief of ‘The Hacker News’. He is a Security Researcher and Analyst, with experience in various aspects of Information Security. His editorials always get people thinking and participating in the new and exciting world of cyber security. Other than this : He is an Internet Activist, Strong supporter of Anonymous & Wikileaks. His all efforts are to make internet more Secure. Follow him @ Twitter | LinkedIn | Google | Email | Facebook Profile