Last week, engineers at Freedom of the Press Foundation discovered a 3-year-old vulnerability in SecureDrop, the whistleblower submission system that The Intercept, along with dozens of other news organizations, relies on to communicate securely with anonymous sources.
The window of attack for this vulnerability is extremely small, and it is highly unlikely that our server was exploited. What’s more, this vulnerability would not have allowed an intruder to obtain the IP addresses of sources using the server.
Nevertheless, out of an abundance of caution, we have taken steps to ensure that our SecureDrop server is as secure as possible going forward. In the interest of transparency, we wanted to inform readers and sources of these changes:
If you’re an existing source, you can log in to the new server with your existing credentials. But we recommend that you create a new account after making contact with us using your old account.
The vulnerability was discovered last week by SecureDrop engineers during an internal code audit. “We have not seen any evidence that anyone even knew of this bug since we found it ourselves,” Jen Helsby, lead developer of SecureDrop, told me.
The security flaw involves how the SecureDrop software is installed on servers for the first time. The SecureDrop installer downloads supporting software using the package manager of its operating system, Ubuntu. Because these software packages come from servers run by volunteers, they are supposed to be cryptographically verified; that is, they must be digitally signed with a trusted encryption key. If the verification succeeds, the package is installed. If the verification fails, this may mean an attacker may have replaced the software package with one that includes malicious code, and the installation should halt. But the SecureDrop installer skipped the verification step for three software packages.
“This means that an attacker that was able to predict when the installation was taking place could man-in-the-middle that traffic and send code that will be executed on the SecureDrop server,” said Helsby.
In other words, while we were first installing SecureDrop, there was a short window of time, measured in seconds, when an attacker could have exploited this vulnerability. The attacker would have to know about the vulnerability, know exactly when and where we installed SecureDrop, and would also have to be in a position to perform network attacks against us at the time.
Sources are only able to interact with SecureDrop over the Tor network, which means that if an attacker successfully compromised a SecureDrop server, they still couldn’t learn the IP addresses of sources. However, the attacker would be able to read documents and messages sent through the system, which are temporarily available in memory before they get encrypted and saved to disk.
Freedom of the Press Foundation has alerted news organizations that rely on SecureDrop about the vulnerability. Besides The Intercept, users of the system include the New York Times, Washington Post, Pro Publica, the New Yorker, the Associated Press, and various others.
“We think the probability of this being exploited is extremely low,” Helsby said. But Freedom of the Press Foundation recommends that news organizations that have a nation-state level adversary reinstall SecureDrop, just to be safe.
The Intercept’s new SecureDrop server is up and accepting submissions. Check out these whistleblower instructions to learn how to securely and anonymously contact journalists at The Intercept.