How ethical hackers found a (small) vulnerability on my website

Graham Cluley websiteOne of the most important things I need to consider when running grahamcluley.com, is its security.

After all, it would be pretty embarrassing if a website which discusses the latest security news suffered a security breach itself.

That would be like a computer security company getting hacked! Ha! Crazy! As if that would ever happen…

Because security matters to me, and I don’t have the cash to pay for my own IT team, I made sure that my website was hosted with a company I trust to ward off denial-of-service attacks, fend off hacking attacks, and help keep my server software (the site runs on WordPress) up to date with the latest patches.

I ended up going with WP Engine, a fully-managed WordPress hosting platform. You can get much cheaper web hosting if you want to – but not with the level of service,security and support they provide.

Of course, it would never be wise to rest on your laurels, and assume everything is ticketyboo – even with a web host like WP Engine.

So, I asked the security researchers at High-Tech Bridge – famous for finding security holes on the NASDAQ and Yahoo websites (the latter of which earned them a paltry T-shirt) – to take a long hard look at my website, and see what they could uncover…

ImmuniWeb

High-Tech Bridge offers this service, which they call the ImmuniWeb On-Demand Web Security Assessment, to any companies who want their website tested for security. At a cost of $639 it should be within the budget of most small and medium–sized businesses who care about their web security.

What’s cool is that the ImmuniWeb service isn’t just a web vulnerability scanner, hunting for flaws on customers’ websites. At the same time as that is running, High-Tech Bridge also has a team of ethical hackers, with years of professional web security experience, manually attempting to penetrate websites, and searching for flaws and weaknesses.

Here’s a video (with rather cheesie music) where Frost & Sullivan’s Alexander Michael explains the importance of regular independent penetration tests, conducted by specialists, for small and medium-sized businesses who don’t always have the internal resources to tackle web server security adequately.

Ok. So, you probably want to know what the ethical hackers at High-Tech Bridge found wrong with my website, don’t you?

Well, the good news is that although their investigation into my site was thorough (they sent me a 17-page report at the end of the process), there wasn’t much wrong.

In fact, no critical, high or medium level vulnerabilities were found on my site – despite the best attempts by High-Tech Bridge.

Part of vulnerability report

But there was one low level vulnerability.

High-Tech Bridge’s team had found a flaw in a WordPress plugin on my site called Tweet Blender. The threat was that if I visited a boobytrapped website (perhaps after clicking on a link sent to me in a targeted attack), while logged into an administrator account for my website, the hackers might be able to access my cookies, session details or even browser history.

Not the most serious security risk in the world – but still, not one you really want to be present on your website.

High-Tech Bridge said they had reported the flaw to the vendor, but that it was not yet patched. But they didn’t just tell me about the flaw, they also provided me with proof-of-concept code so I could test the flaw for myself, giving me the opportunity to ensure that the problem was properly addressed on my website.

Details of vulnerability

The good news is that the flaw has now been fixed in the Tweet Blender plugin.

The better news, for me, is that because of High-Tech Bridge I was able to address the issue weeks ago.

You can find out much more about High-Tech Bridge’s ImmuniWeb service on its website.

Tags: , , ,

, , ,

One Response

  1. Joseph November 21, 2013 at 12:46 am #

    Great concept/idea actually. I have been waiting for such
    SaaS since a while. Thank you for letting me know! Joseph.

Leave a Reply

XSLT by CarLake