Update: A hacker yesterday claimed to have hacked the FBI’s website running on Plone CMS, but it seems it wasn’t hacked using any zero-day vulnerability in Plone. We contacted Plone security team and updated this story (see below) with official statements.
A hacker, using Twitter handle CyberZeist, has claimed to have hacked the FBI’s website (fbi.gov) and leaked personal account information of several FBI agents publically.
CyberZeist had initially exposed the flaw on 22 December, giving the FBI time to patch the vulnerability in its website’s code before making the data public.
The hacker exploited a zero-day vulnerability in the Plone CMS, an Open Source Content Management software used by FBI to host its website, and leaked personal data of 155 FBI officials to Pastebin, including their names, passwords, and email accounts.
CyberZeist tweeted multiple screenshots as proof of his claims, showing his unauthorized access to server and database files using a zero-day local file inclusion type vulnerability affecting its python plugins.
Hacker also found that the FBI’s website is hosted on a virtual machine running a customized older version of the open-source FreeBSD operating system.
According to another tweet, the Plone CMS zero-day exploit is up for sale on an unnamed dark web marketplace.
The Plone CMS is considered to be one of the most secure CMSes available today and is used by many major websites like Google, and major United States agencies including the FBI and the CIA.
CyberZeist also warned other agencies, including the European Union Agency for Network and Information Security, Intellectual Property Rights Coordination Center, and Amnesty International, which are currently using the Plone CMS that they too are vulnerable to a similar attack.
The FBI authorities have yet to respond to the claims.
Update — Plone Security Team Says, There’s No Zero-Day!
Meanwhile, Plone Security team has released a security advisory saying that it will release a security update on 17th January to its customers to "patch various vulnerabilities."
For now Advisory doesn’t include much technical information about the vulnerabilities, but all supported Plone versions (4.x, 5.x). Previous versions could be affected.
"The advisory information we give in those pre-announcements is standard. In fact, the upcoming patch is to fix a minor issue with Zope which is neither a RCE or LFI inclusion problem."
Notably, Plone Security team has also mentioned that "there is no evidence that the issues fixed here are being actively exploited."
"The issue we are fixing in no way resembles CyberZeist’s claims, neither do the issues we fixed last month." Matthew Wilkes, Plone security team, told The Hacker News.
"The aim of releasing information from such a hack is to convince people that you’ve indeed hacked the target. Claims of hacks that only give information that is publicly available (such as open-source code) or impossible to verify (such as hashed passwords) are common signs of a hoax," Matthew said.
Also, Mr. Alexandru Ghica, Eau de Web, the maintainer of an EU website which hacker also claimed to have hacked says, "I can say for sure that at least some of the data posted as proof is 100% fake. The hoax was a bit elaborate indeed, but that’s it."
This is not the first time CyberZeist claimed to have hacked the FBI website. In 2011, the hacker breached the FBI website as a member of the infamous hacker collective known as "Anonymous."