Ghost Confirms Hack Attack: 750,000 Users Spooked By Critical Vulnerability

Popular open-source blogging platform with more than 2 million installs confirms it has been hacked.

Although most people tend to immediately think of WordPress when asked to name a blogging platform, it certainly isn’t the only player in town.

The self-proclaimed “world’s most popular modern open-source publishing platform,” Ghost, includes big-name customers such as Mozilla, NASA, and DuckDuckGo among its 750,000 registered users, according to its website. In the last week alone, Ghost users, including writers, podcasters, and video creators, set up 6,920 new publications.

It has also been hacked today, May 3.

MORE FROM FORBESTrump Declares National Emergency As Foreign Hackers Threaten U.S. Power GridBy Davey Winder

At 3:24 a.m. (BST), the site posted a service update stating that it was investigating the cause of an outage. By 10:15 a.m. the reason had become clear: Ghost had been hacked.

“Around 1:30 a.m. UTC on May 3, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure,” a status update posting confirmed. The critical vulnerabilities referenced are in SaltStack, an open-source infrastructure management tool built using the Python language. CVE-2020-11651 gives a remote user some access without authentication that can be used to retrieve user tokens, while CVE-2020-11652 allows arbitrary directory access to authenticated users.

MORE FROM FORBESBeware This New Microsoft Teams Password Hacking Threat To 75 Million UsersBy Davey Winder

The hack attack affected both Ghost Pro sites and Ghost.org billing services. However, no credit card information is thought to have been compromised at this stage of the investigation, nor were any user credentials stored in plain text.

“There is no direct evidence that private customer data, passwords or other information has been compromised,” the Ghost update stated, “all sessions, passwords and keys are being cycled and all servers are being re-provisioned.”

An update, posted at 1:46 p.m. (BST), revealed that early investigations show the SaltStack vulnerabilities were used in an attempt to mine cryptocurrency on the Ghost servers. “The mining attempt spiked CPUs and quickly overloaded most of our systems,” it stated, “which alerted us to the issue immediately.” There remains no evidence that any access to systems or data was attempted.

Security expert, John Opdenakker, who runs a self-hosted infosec Ghost blog, says “even if you run Ghost self-hosted, this incident reminds us that it’s important to install all latest patches.”

MORE FROM FORBESThe 7.232905 Bitcoin Security Question Is: What’s A Homoglyph?By Davey Winder