Flashpoint came out swinging today against an independent researcher who reported that the security company’s public-facing website was serving malware.
In what Flashpoint called an "after action report," the company denied the website was itself infected with malware, but did admit that on April 12-13 the WordPress Yuzo Related Posts plugin used on the site was susceptible to a zero day flaw that was being exploited. However, the company flatly denied Dancho Danchev’s statement that Flashpoint was delivering malware to its site’s visitors.
“It appears that Flashpoint's official web site is currently embedded with malware-serving malicious script potentially exposing its visitors to a multitude of malicious software,” Danchev wrote.
In response, Flashpoint posted “Flashpoint’s public-facing website is not and was never serving malware.”
In actuality, according Flashpoint, the plug-in exploit "temporarily" redirected some site visitors who had JavaScript enabled to an external website with a pop-up that was dealing malware. Flashpoint said once the issue was observed, the site was taken down until the problem was mitigated.
“No PII or customer information was breached, and our public-facing website is segregated from all other systems and production environments. The attack wasn’t targeted at Flashpoint specifically. It was an automated attack that picked up our site and injected the vulnerability,” Flashpoint said.
The initial compromise took place sometime between April 12, 23:44 EDT and April 13 at 01:24 EDT. The site was taken down and mitigation efforts began on April 14, 13:42 EDT and completed by 13:58pm EDT that same day.
SC Media emailed Danchev for a response to Flashpoint’s clarification of his findings, but has not yet received a response.
