The Panama Papers Started With Bad CMS Security

By Deane Barker
From Issue #56

I just finished a book called The Landromat, which detailed the Panamanian law firm Mossack Fonseca, and the leak of multiple terabytes of internal data on their customers which became known as The Panama Papers.

Turns out, Mossfon was really bad at CMS security, according to this Wired article:

The Security Flaws at the Heart of the Panama Papers

It started with their customer portal:

The version of Drupal used by [their client] portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.

It got worse:

Mossack Fonseca’s […] main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.

They were uploading sensitive internal data into CMSs that were publicly available and hopelessly out of date. Bad for them, good for justice, I guess?

(To this day, no one knows who leaked the data. The whistleblower – named John Doe – remains anonymous.)

(Also, Netlifx made The Landromat into a movie in 2019.)

This is item #276 in a sequence of 305 items.

You can use your left/right arrow keys to navigate