Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Share this article:

The Washington state Administrative Office of the Courts (AOC) has confirmed that attackers leveraged a previously repaired Adobe software bug to access its website and make off with hundreds of thousands of Social Security and driver's license numbers.

Court officials on Thursday revealed that hackers definitively made off with 94 Social Security numbers, but that as many as 160,000 may have been compromised, alongside one million driver's license numbers.

Wendy Ferrell, a spokeswoman for Washington state AOC, told SCMagazine.com that a previously patched vulnerability in Adobe's ColdFusion application server was used to carry out the attack. Adobe fixed the weakness that was exploited in January.

That patch actually addressed four ColdFusion vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632), all of which could permit an unauthorized user to remotely bypass authentication controls to take over the targeted server. Ferrell did not say which of the defects was used.

In a Friday email to SCMagazine.com, Heather Edell, an Adobe spokeswoman, said the company wasn't directly made aware of the breach.

“We do not have any information outside of published reports,” Edell wrote. “That said, we have issued patches for ColdFusion over the past few months.  As always, Adobe recommends that users follow security best practices by updating software to the latest version available.”

Coincidentally, a day before the breach was revealed, Adobe disclosed that it was aware of live exploits targeting a yet-unpatched ColdFusion vulnerability, but it's now apparent that that bug wasn't the one on which the attackers relied.

According to a post on the Washington state court site, those affected by the breach either were booked into a city or county jail in the state between September 2011 and December 2012, received driving under the influence (DUI) citations between 1989 through 2011, had traffic cases filed between 2011 and 2012, or had a superior court criminal case filed against them or resolved between 2011 and 2012.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.