Drupalgeddon 2.0 (CVE-2018-7600) | Disposable mail Blog – 10 minute mail

On March 28th, Drupal released a security update that fixes a critical remote code execution vulnerability nicknamed Drupalgeddon 2.0. Disposable mail scans your site for this vulnerability and will alert you if you are running a vulnerable version of Drupal.

What can happen if I’m vulnerable?

The issue (CVE-2018-7600) is a remote code execution vulnerability that allows attackers to take over a Drupal site, accessing all non-public data as well as being able to modify or delete it. The vulnerability can be exploited by simply accessing a URL, which is why it has been assigned a high severity score.

Who is affected by this vulnerability?

Sites running Drupal versions 8, 7, and 6 (note that Drupal 6 is no longer supported) are all at risk. According to an FAQ post written by the Drupal security team, this adds up to over one million sites.

What should I do if I see this finding in my Disposable mail report?

Immediately upgrade to the most recent version of Drupal core. If you are running 7.x, the latest release is 7.58, and if you are running 8.5.x, you should upgrade to 8.5.1.

The Drupal security team has confirmed that exploits for this vulnerability have been developed and that evidence of automated attack attempts emerged last week. This is why we recommend you to inspect your logs for signs of malicious activity.

If you are unable to install the latest version of Drupal straightaway, you can use the patches suggested in the security advisory to temporarily fix the vulnerability until you can upgrade your installation.

More information

Drupal Public Service Announcement
Drupal Security Advisory
Drupalgeddon 2.0 FAQ

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

9 biggest web security news of 2018 – 10 minute mail

The year started off with a bang as the research of Meltdown and Spectre rendered almost all computing devices to be vulnerable. As the year moved on Facebook, Magecart and 2FA alternatives also were also part of security discussions. Here are our top 9 picks for biggest web security news of 2018:

Image for top security news for 2018

1. Meltdown and Spectre

Meltdown and Spectre are collectively 3 critical vulnerabilities had anyone with a computer made since 1995 on their feet. Meltdown (CVE-2017-5754) is a hardware vulnerability found to attack general memory data security and the name was given due to the ability of the attack to “melt” security boundaries. Spectre (CVE-2017-5753 and CVE-2017-5715) is reported to affect every single computer device, as it’s been verified that they affect Intel, AMD, and ARM processors. Their exploitation allows hackers to access passwords stored in a password manager or browser, personal photos, emails, private messages and even business-critical documents.

2. Facebook – “View As” feature

Facebook has been in the public eyes on several big occasions this year including the Cambridge Analytica scandal and Mark Zuckerberg’s testimony in front of the US Congress about data privacy. The year wouldn’t be complete without a hacker attack. Late September, 50 million people were automatically logged out of their Facebook accounts due to a hacker attack via the “View As” feature. The hackers began by exploiting the video uploading feature and eventually chained this together with a weakness in the “View As” feature. During this process a user token was generated when it wasn’t intended to happen for the one subject to “view as” and this appeared in the HTML code. From there the hackers gained access to the user account and automated their attack which eventually resulted in an activity spike to catch Facebook’s attention and take action in time. In total, there were 3 bugs that the malicious actors were able to chain together to gain access to user tokens. When Facebook was aware of this, it forced log out to reset tokens for 50 million users and an additional 40 million who were potentially affected. Whilst Facebook’s logging and monitoring practices were able to act fast and alert users well, the company seems to not want to take more security risks as there are plans to add a cybersecurity company to their group.

3. Marriott – 500 million users had data stolen.. Hackers had access since 2014

Going down as one of the largest data breaches to happen so far, 500 million Starwood guests had their personal details such as names, addresses, passport information and emails compromised to malicious hackers. Reports state hackers were in the system back in 2014 which happened before Marriott acquired the Starwood Hotel brand in 2016, and this has angered many security experts and people in general knowing that SPG aware of the issue and it was failed to be addressed during the acquisition. The personal information taken was encrypted however given 4 years time, one could be certain that the hackers were able to decrypt the details. It’s not certain whether Marriott was aware of this or not but we can expect cybersecurity to be taken more seriously in future business acquisitions.

  4. Another year of leaky S3 buckets, which led to AWS finally changing the privacy settings for bucket configurations

As in 2017, this year saw several high-profile companies fall victim to customer data leak to cloud storage, especially S3 bucket, misconfigurations including FedEx and GoDaddy. These are often the fault of the company due to AWS S3 bucket misconfigurations but we even saw a case where an AWS employee made the mistake of S3 bucket misconfiguration for GoDaddy. The consequence: public exposure of highly sensitive information including GoDaddy’s hosting infrastructure, operating system, workload and more which gave out a lot of competitive intelligence. This finally prompted AWS to make changes to the bucket settings and make it easier for users to block public access to buckets.

5. Implementation of GDPR and Google and Facebook slapped with fines

2018 also was the year for GDPR to come into play and this has all sorts of professionals scrambling to make sure their practices are compliant, lawyers were banking in on new business, some opportunists upgraded their careers to becoming a DPO and end users were bombarded with emails regarding GDPR, all before May 25th. There was no grace period to GDPR enforcement as Google and Facebook were given fines immediately. Not only did GDPR get ordinary people to start thinking a bit more on the privacy of their personal details, but it has challenged companies to work more proactively with security.

6. Magecart and third-party javascript

Magecart, an online criminal hacker group, has been using cross-site scripting (XSS) tactics to injection malicious code into different online credit card forms. By doing so they’ve been able to steal sensitive information including, yes of course, credit card details and personal names. This method is used widely and companies compromised by this attack are many and include British Airways and Inbenta, a 3rd party javascript used by Ticketmaster. This serves as a good reminder to always check web applications for XSS and especially third-party software as Magecart does not show signs of stopping.

7. SMS 2FA not secure

Reddit was hacked in June and their employee accounts were compromised despite having 2FA via SMS enabled. As their report explains, the attacker was able to intercept SMS messages containing the access code and use this to log into the employee accounts. This prompted a great discussion on what kind of 2FA is needed. Reddit themselves suggest using a token-based 2FA as well as ensuring passwords are complicated. You can find these tips and more in our tips for secure remote work.

8. Drupalgeddon

There was a remote code execution found in Drupal, and this critical vulnerability was aptly named Drupalgeddon v2.0. This affects versions between 6 and 8, and if exploited the bad actor would have access to all non-public data and also have the ability to modify or delete items. According to official notes, updating Drupal along will not remove backdoors or fix compromised sites. Therefore anyone affected would have to update right away but also run their own security checks to remediate the issue.

9. Stop playing security whack-a-mole

Parisa Tabriz, Director of Engineering at Google, opened up this year’s Black Hat USA calling on everyone to implement long-term defensive security. Rather than playing what she called security whack-a-mole and tackling security issues as they come up, there needs to be more strategic and proactive action to ensure security in a company. She cited the Google Project Zero as one way they’ve used offensive security examples to improve defensive security tactics, leading to more transparency and collaboration to make end users safer. Companies should build ongoing security processes and invest in training, build up security champions and develop a security culture in the organization. Some argue it needs to be thought of earlier in the development cycle, given more support for the adoption of DevSecOps.

What can we expect next year? We asked our security researcher and technical content writer, Linus Särud:

In 2019, we can expect more cloud-related issues on the rise as well as misconfigurations with third-party providers. They may not necessarily be from S3 bucket leaks due to the changes, but could be of similar nature.

Serverless, microservices and API are the “new thing” and we can expect acceleration in migration over to these services. As a consequence we anticipate more SSRF attacks. When companies go serverless and the traditional RCE is no longer possible, SSRF takes its place. It can be used to request internal servers and steal tokens or credentials used for cloud configurations. Early 2018, Google was vulnerable against this. Here is another write-up on how SSRF can be a problem when running on Amazon, causing the cloud to rain credentials.

Lastly, we expect more subdomain takeovers to occur and while this has been hyped for long there will be a lot to be discovered in this area. On the positive side, we anticipate more awareness of cloud security risks and the continued rise of devsecops where security is considered earlier in the development cycle and companies apply proactive defence instead of reactive measures, enabled by more automation and testing. There will more open discussions about personal data management because of the GDPR, NIS directive and other security regulations. People will start to think differently about the security of personal information, in a more protective way, which is a good thing!

Here’s to an even more secure 2019! Is your team equipped with all the tools to make 2019 a secure year for your teams? You can automate some of your security checks using Disposable mail. Ready to give us a try? Sign up for a free trial.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail now checks for Drupal RCE (CVE-2019-6340) – 10 minute mail

On February 20th, Drupal released a security update that fixes a critical remote code execution vulnerability. Disposable mail scans your site for this vulnerability and will alert you if you are running a vulnerable version of Drupal. Read more “Disposable mail now checks for Drupal RCE (CVE-2019-6340) – 10 minute mail”