FreshBooks leaks WordPress admin credentials in publicly accessible AWS bucket

[MatthewTheITGuy]

Summary

LTT Sponsor, FreshBooks, leaves a publicly accessible AWS Storage bucket unsecured which contained database backups of their Wordpress website and easily crackable passwords giving an attacker access to modify live website content or more.

 

Quotes

Quote

"On January 20, Cybernews researchers discovered a publicly accessible AWS Storage bucket belonging to FreshBooks. While it mainly stored images and metadata of FreshBooks’ blog, among the leaked data, were backups of the website's source code and related database."

 

"One of the databases contained information about the site, its configurations, and data of 121 WordPress users. Names, usernames, email addresses, and hashed passwords of the site’s administrators, writers, and editors were exposed."

 

My thoughts

FreshBooks obtained a SOC 2 Type 1 certification just a few days after this leak was disclosed to them.  How many of those 121 leaked passwords were reused by their staff on the administration side of their accounting platform?  Hopefully FreshBooks investigated this and will publish a post mortem.  Maybe this will be a topic for this week's WAN Show.

 

Sources

https://cybernews.com/security/freshbooks-leaks-wordpress-credentials/

https://www.techradar.com/news/data-of-30-million-wordpress-users-leaked-by-top-cloud-accounting-firm

https://www.freshbooks.com/press/releases/freshbooks-enhances-security-with-successful-completion-of-soc-2-type-1-certification

[TetraSky]

More than anything, I am mostly surprised their website is made through Wordpress. I had assumed it would be completely custom.

[MatthewTheITGuy]

Agreed.  Touting that 30+ Million People use their product, you would think they could afford some web developers to build a custom website.  I just checked their homepage and they are still using Wordpress for their site.

[Uttamattamakin]

1 hour ago, MatthewTheITGuy said:

How many of those 121 leaked passwords were reused by their staff on the administration side of their accounting platform? 

Hopefully 0 of those passwords are the same.  Lets be honest how many people have (or even can use) different passwords for their work related websites?  Often passwords for a job are managed in a unified way so if you change your password for one thing it changes them for all of them.  Like in my line of work the same password for Web Advisor, and also the institutional Microsoft account, and also for access to Blackboard etc etc.   If they have a system like that I hope they changed all passwords quick fast and in a hurry. 

[Needfuldoer]

10 hours ago, TetraSky said:

More than anything, I am mostly surprised their website is made through Wordpress. I had assumed it would be completely custom.

Why reinvent the wheel? Wordpress makes an adequate CMS, and web designers and writers are well acquainted with it. It's just a security nightmare that has to be diligently updated. (It's hit the hardest because so many people use it.)

 

They could've also used another canned CMS like Drupal or Joomla, but those always come with their own issues.

Edited April 11, 2023 by Needfuldoer

[Kisai]

7 hours ago, MatthewTheITGuy said:

Summary

LTT Sponsor, FreshBooks, leaves a publicly accessible AWS Storage bucket unsecured which contained database backups of their Wordpress website and easily crackable passwords giving an attacker access to modify live website content or more.

 

Why do companies insist on using Wordpress? You can't protect anything on a wordpress site, it's not a question of IF, but WHEN someone hacks it.

 

Real companies do not use Wordpress for anything more than a blog. The minute you start using it for anything else, it becomes swiss-cheese.

[AlTech]

17 hours ago, Kisai said:

Why do companies insist on using Wordpress? You can't protect anything on a wordpress site, it's not a question of IF, but WHEN someone hacks it.

 

Real companies do not use Wordpress for anything more than a blog. The minute you start using it for anything else, it becomes swiss-cheese.

What are companies meant to use instead?

[Kisai]

4 hours ago, AluminiumTech said:

What are companies meant to use instead?

They are supposed to hire people who actually know how to code things.

 

Golden rule: 

"We provide X service, we should eat our own dogfood"

If a company provides a service, that service should be developed in-house, and everything that supports it built with the same language/tools.

 

Quote

FreshBooks was founded in 2004 by Mike McDerment, Levi Cooperman, and Joe Sawada in Toronto, Ontario. McDerment incorporated a second company, BillSpring in January 2015 to work on new product development. It was rolled back into FreshBooks as an updated interface in 2016.^[4]

 

Initially FreshBooks functioned like an electronic invoicing program targeting IT professionals.^[5] After the release of the new interface, the initial release of FreshBooks was referred to as "FreshBooks Classic."^[6] FreshBooks Classic was discontinued in 2022 after migrating users to the new platform.^[7] FreshBooks Classic's front-end application was built in PHP, and the backend services were built in Python while the new FreshBooks uses the same backend services with a JavaScript single-page application.^[8]

They already had a product written in PHP and Python. The Current version is a JSA. They clearly have the knowhow to write a JSA. So the entire website should have been JSA's.

 

Not wordpress.

 

The only time a "corporation" should be using wordpress, is if they provide NO service. It's a business card. If I look up "pizza places" and I can't order a pizza from joeownsapizzapie.com then I'm not going to phone them to order a pizza, I'm going to go order from Little Caesars or Dominos, who have sites designed around ordering the pizza. 

 

The kind of company that would be using wordpress is one where the website is a signpost. You can't get your hair cut online, you can't get your computer serviced online, you can't get your car serviced online, BUT you can schedule an appointment online. Sometimes.

 

The point is that, if you are providing a web-based service, you should be using wordpress. You should be using the people and resources you already have to build a solution that works to provide that service.  Don't risk your business to the whim of wordpress's horrific security culture.