More Major Moodle Security Vulnerabilities Discovered
Moodle, the open source learning management system, has been plagued with major security and privacy vulnerabilities over the past couple of years with the severity of those issues seeming to be on a sharp upward trajectory. Information about another batch of very serious security and privacy issues was released yesterday (Saturday, 27 March 2010) with notice that everyone needed to upgrade.
Understand…these issues weren’t discovered yesterday…they have been in your codebase for a very long time…they were simply released yesterday to a select few people.
The details of those security and privacy vulnerabilities were sent out to a mailing list on Saturday to every hacker in the world who has bothered to subscribe to the list…subscription to this “advanced notice” list is as simple as pushing one button with no verification of identity required. Ironically, if you look at the release notice for Moodle 1.9.8, this is what you see about the security issues:
1. The details of these very serious issues have already been emailed out to every hacker subscribed to that list by the Moodle lead developer himself. On Monday morning, Moodle admins (who happen to be subscribed to this list) will discover what hackers have known since at least Saturday and probably much longer.
2. By Moodle’s own figures, only 0.001666% of its users are actually subscribed to this security list–of course, they have no way of knowing how many of those actual subscribers are not Moodle admins at all, but are would-be hackers waiting for their “advanced notice”.
“The software is used by 27 million people worldwide, but only 45,000 are officially registered, so it is difficult for Moodle.com to alert everyone.”
3. By Moodle’s own figures, that means over 99% of the users have not been notified by this “advanced” notification system.
4. The notice was send out yesterday and it is already posted all over the web–of course, none of the places where it is posted are places Moodle users would be visiting…one, of many: http://pastebin.com/gQyWEszM You can Google for others…
If you are using Moodle in any kind of real-world situation, then you should be very concerned not only about the recent flurry of major security issues plaguing the software, but also about the way official notice is being sent out to hackers while the user-base at large is kept in the dark.
As I’ve said before, it’s my belief that at the same time these issues are sent out to that list, they should also be plastered across the moodle.org homepage and posted to every moodle blog, website, twitter account, etc., to give everyone a fighting chance of defending their sites against would-be hackers.
Just the opinion of one informed user who is not affiliated with Moodle.