Claims of Plone Zero-Day and FBI Hack Likely False

Claims that the FBI’s website has been hacked using a zero-day vulnerability in Plone are false, according to the developers of the open source content management system (CMS).

On January 1, an individual using the online moniker CyberZeist (aka le4ky) leaked roughly 150 fbi.gov email addresses and what appeared to be SHA-1 password hashes and their associated salts. CyberZeist claimed to have obtained the information after exploiting a Plone zero-day flaw that has allegedly been sold on a dark net website.

Plone developers have analyzed the screenshots and information made available by CyberZeist and determined that it’s likely just a “hoax.”

Plone is considered a highly secure CMS and the fact that it has been used by the FBI and various other U.S. government organizations is not a secret. However, that may be the only truth in the post published on Pastebin by CyberZeist, who claimed to have carried out the attack on behalf of the Anonymous hacktivist movement.

The developers of Plone said some of the screenshots have been faked, while others simply don’t back the hacker’s claims. Furthermore, the leaked email addresses show up in several older leaks, and the password hashes and salts are not consistent with ones generated by Plone. The credentials were allegedly obtained from .bck backup files, but this extension is not used by the Plone backup system.

“It is extremely easy to fake a hack like this. It takes only rudimentary Photoshop skills or use of the Chrome JavaScript developer console,” said Nathan Van Gheem of the Plone security team.

Plone also pointed out that the so-called zero-day exploit is up for sale for 8 bitcoins ($9,000), but since it’s not possible to obtain refunds on such transactions, experts believe it’s likely a scam.

“We don’t believe the FBI is his target; it is more likely that he is using this high profile site as a way of advertising fake exploits for sale,” Plone representatives said. “There is no reason to believe that his claims are genuine and we remind all website administrators to be wary of social media users claiming to have bugs for sale.”

CyberZeist has claimed to have found vulnerabilities in the websites of several major organizations in the past months, but he hasn’t provided any solid proof to back his claims. Furthermore, he has been known to fake data leaks.

Related Reading: News or Ruse? How Cyber Situational Awareness Can Help You to Distinguish

Related Reading: Hundreds Access Fake Bank Account Data “Leaked” to Dark Web

Related Reading: eBay, Security Experts Say Database Dump is Fake