14 DAY TRIAL // Citrix, a US company providing SaaS software solutions, has acknowledged this week a data breach that occurred last October, but denied claims that the hacker got access to company or customer data during the incident.
Back on October 25, 2015, a Russian hacker known as worm, who previously hacked media sites like the Wall Street Journal, BBC and Vice, posted a blog post in which he detailed how he got access to Citrix's website CMS application, using the [email protected] username and the Citrix123 password.
Because it was in Russian, the infosec press did not pick up on his findings, and only this week, when Citrix published its own blog post regarding the incident, did more details come to the surface.
In his blog post, w0rm claimed he found several vulnerabilities and exploits in Citrix's CMS which would allow him to take control over the content stored on the server and even modify pages and content sent to Citrix's users.
Hacker told the company about its security hole, did not steal anything
Surprisingly for a hacker that broke into other websites with no regrets, w0rm said he didn't take anything from the Citrix server, but actually contacted Citrix to let them know of their vulnerabilities. He said the only reason he published his blog post was to force Citrix's hand in fixing the flaws.
As a response, in its own blog post, Citrix said that w0rm only managed to access one isolated server used just to stage content for the GoTo family of websites. Citrix insisted that no data about its services, employees, or customers was ever stored on that server.
Additionally, the company also refutes claims that the hacker would be able to send malicious content to its customers.
"Although the content management server allowed anonymous access to content, anonymous access is insufficient to write metadata changes to production," said Stan Black, Citrix Chief Security Officer. "The server has been reconfigured, and administrative passwords have been changed."
Mr. Black also said that no other Citrix servers were accessed during this incident.