Gawker Security Breach Remains, Says Hacker Behind Info Theft
One of the hackers that stole info on 1.3 million Gawker Media users tells The Daily Beast’s Brian Ries a second hole remains—and the company’s weakness has been widely known since August.
Nick Denton's week is getting worse.
In between public apologies, the founder of Gawker Media has been scrambling since Sunday to secure his company's digital walls following a breach of his blog network's security that publicly revealed 200,000 email addresses and passwords of the company's 1.5 million registered commenters. By yesterday, he had reopened the sites for his users to resume the snarky, anonymous barbs that are the company's hallmark.
But The Daily Beast has learned that the company’s security remains as vulnerable as ever. [Update 12/14 9:53pm: The exploit has been patched.] Specifically, one hacker who participated in the Gawker attack, a member of the shadowy self-named group Gnosis, tells me that another vulnerability remains in place. Two others hackers, who did not participate in the Gnosis plot but are members of the same circle and observed the breach as it was happening, confirm this.
The hacker says there was considerable internal strife about whether to notify the company before publicly revealing the data.
Furthermore, these three hackers say Gawker’s security exposure has been an open secret for more than three months.
The ongoing vulnerability stems from Gawker's source code —specifically, a hole in the company’s preferred open source script, Minify, which ostensibly helps the site load faster. According to the three hackers, Gnosis felt confident that Minify provided a way in, but ultimately found yet another door (“It is not how we gained access,” the attack participant tells me), which they would not disclose.
Gawker Media’s problem: the version of Minify that they use is apparently three years old, and the company has not updated to a new, more secure version. This hole was even publicly disseminated on August 31 via the popular hacker emailing list Full Disclosure, which noted that while Minify could not by itself grant access, it provided other paths to Gawker’s entire server.
"Gawker should know about this," the hacker who made the post to Full Disclosure tells The Daily Beast, "but they haven't bothered to do much it seems.”
When I asked Denton on Tuesday afternoon whether he was certain of the security of his sites, he replied: “I don't think anyone can ever say that with 100 percent confidence. But we have locked out this particular group of hackers, have changed all administrator passwords and we're taking other steps.” When I then informed him about the Minify breach, he referred questions to Gawker’s chief technology officer, Thomas Plunkett, who in turn said that they knew about it in September and “have secured known issues” and “are securing others as we discover them."
The hackers maintain, however, that the Minify hole has been alive and well. To emphasize how easy it is to exploit Minify, one of the hackers even gave me what amounted to a tour of Gawker’s source files last night.
According to the hacker who participated in the attack, Gnosis was an informal group centered around pulling pranks on one another before coming together to target Gawker. He adds that there was considerable internal strife about whether to notify the company before publicly revealing the data. "It is my personal opinion that we should have contacted Gawker before releasing the source and given them the ways we got in," he says. "But alas we did not."
Another one of the hackers shared some of the backgrounds of Gnosis group members. According to his data, one works for a U.S. Internet-hosting firm, another is based out of the U.K. and a third is known primarily for their involvement with “Operation: Payback,” which engineered last week’s WikiLeaks-related MasterCard and Visa attacks.
So why didn’t Gawker patch this security hole months ago, when the findings were posted online? The signs were certainly there. As Forbes reported earlier on Monday, Denton noticed something strange around a month ago, when his campfire account—an internal collaboration tool—began acting up. But in poking around, his staff came to "the wrong conclusions," never suspecting such a breach.
On Monday, in a post explaining the breach, Gawker management wrote they were looking to hire an "independent security firm to improve security across our entire infrastructure." They're said to be "horrendously expensive."
Plunkett told me that if the company discovers that the Minify vulnerability still exists, as the hackers demonstrated to me, they will patch it. When I asked him why Gawker Media is currently letting people register and post at their sites, potentially exposing their information, Plunkett responded thusly: “We feel we have secured user data… this most important point of vulnerability is secured. But one can never be 100 percent secure.”
[Update 12/14 9:53pm: The hacker who first found the vulnerability tells us the exploit has now been patched.]
Brian Ries is tech and social media editor at The Daily Beast. He lives in Brooklyn.