According to a cybersecurity firm, a vulnerability detected on the official website of premium sports car maker Ferrari could have exposed potentially sensitive information.
Researchers at Char49, an organization that provides penetration testing, auditing, and training services, identified the flaw in March. Ferrari fixed the flaw within a week. The researchers discovered that the domain 'media.ferrari.com' is powered by WordPress and that it was using an outdated version of W3 Total Cache. This plugin is deployed on over a million websites.
The plugin was vulnerable to CVE-2019-6715, a bug that allows an unauthenticated attacker to read arbitrary files. The researchers were able to access the 'wp-config.php' file, which stores WordPress database passwords in clear text, by exploiting the vulnerability.
According to David Sopas of Char49, the exposed database contained information about the media.ferrari.com domain.
While the researchers did not delve too further in order to avoid violating responsible disclosure standards, Sopas observed that the vulnerability could have been exploited to gain access to other files on the web server, including those containing information of value to threat actors.
Ferrari corrected the vulnerability after being notified by updating the WordPress plugin. While there is no evidence that the security flaw explicitly exposed customers or other sensitive information in this situation, it is critical for high-profile organizations like Ferrari to guarantee that none of their systems is vulnerable.
Ferrari revealed in March that it was the victim of a ransomware attack in which hackers stole customer information.
Please do not enter any spam link in the comment box.