The Syrian Electronic Army, the notorious hacking group that has hit several high-profile media companies such as the Associated Press, The New York Times, and CNN, hacked the Washington Post mobile site on Thursday afternoon.
For a brief period of time, visitors to the Post’s mobile site (m.washingtonpost.com) saw pop-up alerts with messages such as “You’ve been hacked by the Syrian Electronic Army.”
Washington Post— Andrew (@_andrew_griffin) May 14, 2015
Th3 Pr0, one of the members of the group, confirmed to Motherboard that they were indeed the group behind the attack, which appeared to last for around 30 minutes. Th3 Pr0 said that they were able to insert the alerts by hacking into Instart Logic, a content delivery network (CDN) used by the Washington Post.
“We hacked InStart CDN service, and we were working on hacking the main site of Washington Post, but they took down the control panel,” Th3 Pr0 told Motherboard in an email. “We just wanted to deliver a message on several media sites like Washington Post, US News and others, but we didn't have time :P.”
The group often defaces media sites by hacking into other third parties, such as ad networks, that serve content on the sites.
Th3 Pr0 said that they had access to several other sites, such as NewsCorp, US News, and "other non-media companies" such as Newrelic, Business.com, Getty Images, and Quora. But he declined to be more specific when asked how they hacked Instart Logic.
Instart Logic did not immediately respond to a call requesting comment.
This is the second time the hackers get to the Washington Post. The group briefly disrupted the site in 2013 with a phishing attack.
Shailesh Prakash, the Washington Post chief information officer sent the following statement.
“The Washington Post’s mobile homepage and some section fronts on the mobile site were redirected to a site that claimed to be run by the Syrian Electronic Army. The situation has been resolved and no customer information was impacted.”
A Post spokesperson, confirmed to Motherboard that the hack "came through our CDN provider," and confirmed that Instart Logic is the paper's CDN.
Yet, White thinks attacks like this should not be dismissed, because the hackers could have done much more than just display an alert. Having access to the CDN allowed them to insert malicious code and exploit visitors.
"The key point is by controlling the DNS or a CDN, an attacker controls your site, your code, your authentication cookies, your links," he told Motherboard. "No bueno."
This hack shows, once again, that a site is only as secure as its third-party resources, including ads, are.
This story has been updated.