Hackers continue to gain ground on the world wide web after Patreon.com, an online crowdfunding resource for artists to attract recurring and sustained funding, was infiltrated while Patreon developers were running Werkzeug utility library. The breach allowed hackers to harvest nearly all of the service’s user information.
Detectify had notified Patreon officials on September 23 about the instability in their website’s security. A Shodan search reveals that thousands of other websites have the same loopholes in their security, basically beckoning hackers to exploit them. Visitors to websites using the Werkzeug debugger can execute any code directly from their browser, giving them liberal access to data.
The biggest challenge for Patreon is that donor details for their clients may have leaked. Although credit card information was not obtained through the breach, information such as social security numbers, tax information, passwords, addresses, names, and email addresses were compromised during the data breach.
According to PC World, security researcher Troy Hunt tweeted, “It’s supporters identities, messages, etc. Everything private now public.”
The dollar figure for the Patreon campaigns isn't the issue, it's supporters identities, messages, etc. Everything private now public.
— Troy Hunt (@troyhunt) October 2, 2015
Even data such as communications between donors and their beneficiaries was breached, which may be a valuable black market asset for hackers.
The dollar figure for the Patreon campaigns isn’t the issue. Its supporters identities, messages, etc. Everything private now public.
A Detectify researcher told Ars Technica that “This is basically Remote Code Execution by design. An RCE is basically game over. You can inject code directly to the application, exposing all data on the server which the application has access to.” Server data for a crowdfunding platform is quite expansive, especially as it becomes popular and widens its client base.
It is not yet clear why Patreon did not immediately address the security concerns presented to them by Detectify staff. A few tech reporting channels are attempting to unveil further details on the data spill, which comes after a similar hacking incident with the Ashley Madison website.