Outdated version of WordPress leads to MasterCard Hack

Mastercard : ehackYesterday we came across a new MasterCard hack, performed by Syrian Electronic Army. Hackers was able to breach MasterCard Blog (https://insights.mastercard.com) and make a new blog post on the website with title “Hacked By Syrian Electronic Army” on January 5, 2013.


MasterCard Hacked By Syrian Electronic Army : ehack

MasterCard Hacked By Syrian Electronic Army : ehack

For now MasterCard deleted that post, but readers can check Google cache. Today we tried to contact the hacker, but may be they are busy in Hacking Next Target , I started my investigation that how they can hack such a big economic website’s blog.

Starting from very first step, Information gathering about your target. Simple by reviewing the source code we found that MasterCard blog is using WordPress. We all know, WordPress is particular a popular attack vector for cyber criminals.

Google Cache of Hacked Mastercard Blog : ehack

Google Cache of Hacked Mastercard Blog : ehack

To know this, I just tried to access the readme.html file of CMS , that’s it – MasterCard #fail ! They are using an old WordPress 3.3.2 version, instead of the current version 3.5 and Proudly vulnerable to many flaws like Cross Site scripting, File upload vulnerability, Cross-site request forgery (CSRF) etc.

As far I know, There is a good Cross-site request forgery (CSRF) exploit available on internet for WordPress 3.3.2 Cross-site request forgery, that allow attacker to add a new admin user, using bit of social engineering with administrator.

Possibly Hacker may use any one of these vulnerability to hack MasterCard blog. WordPress and its plug-ins are always primary attack vectors for many attacks. You should always be using the latest version of your software, especially if you’re a major company that is often targeted by hackers.

If you’re also not using the latest version of WordPress, you should upgrade immediately.



Original post at –thehackernews

Thanks for reading. hope it might helped you.




Posted on January 10, 2013, in hacking, security and tagged , , . Bookmark the permalink. 2 Comments.

  1. Yeah bookmaking this wasn’t a risky decision outstanding post! .

  1. Pingback: URL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: