Many of you may not be familiar with Drupal, but website developers certainly are. Drupal is a software company whose software is used by a billion websites to manage images, text and video on websites. On October 15th, Drupal announced that it had discovered a major security flaw that could be exploited by hackers to not only steal data from targeted websites, but also to set up a backdoor application that would permit the hacker to return to retrieve more data. All of this could be done without any indication that a hacking had occurred. Most companies responded to Drupal’s announcement and its security update, however, according to Drupal, any website that did not download the Drupal security patch within seven hours of its October 15th announcement should assume that they have been hacked and their sensitive information compromised. Drupal estimates that about 5% of the billion websites that use Dropal software did not install the necessary security patch in a timely fashion and although this number may seem small, this means that the number of affected websites that may have personal information on you and me is as high as twelve million websites.
Part of the problem is that unlike many software companies that provide automatic updates for you to install, Drupal does not do so. Many companies, to their own detriment are slow to install important security updates and this delay puts them and their customers in serious danger of identity theft and being scammed. This is why here at Scamicide we provide security updates as, in turn, provided by the U.S. Department of Homeland Security as they are announced. The Drupal security problem is also a warning again to us all that we are only as secure as the companies and governmental agencies with which we do business with the least effective security.
Here are links to Drupal’s original warning as well as a security update that instructs Drupal users how to remedy the problem.