Recently ParisHilton.com got hacked. In the rush to find a culprit, however, security experts quoted in InformationWeek incorrectly blamed the open-source Joomla web content management system for the security breaches.
According to [a senior security researcher at ScanSafe], there's an iFrame that has been embedded in the ParisHilton.com Web site....She said it wasn't clear how the iFrame got added to Paris Hilton's site, but she said it could be because of a vulnerability in the open source content management system Joomla, which has been a common factor in other reports.
Such "other reports" include this one in ComputerWeekly. The problem with blaming Joomla for security breaches at ParisHilton.com and many of the other sites in question?
They aren't Joomla sites at all.
This is lazy security "research" by the ScanSafe researcher and other "experts" noted in these articles. It's like me blaming Microsoft for security breaches...on a Linux server. It might make for an easy scapegoat, but that doesn't make it any less untrue.
I spoke with Elin Waring, president of Open Source Matters, a part of the Joomla! project, who suggested that "both times [the security allegations surfaced] within a week of a regular release that included some security patches, which I think probably is not a coincidence." She may have a point. Is the security community seeing the patches and assuming they must have been released to fix the high-profile security website breaches?
This is plausible, but again, ParisHilton.com and others among the websites in question weren't Joomla-managed websites at all. It's therefore understandable when commentators to the InformationWeek story on the ParisHilton.com hack say things like this:
For the expert to say, "it could be because of a vulnerability in the open source content management system Joomla, which has been a common factor in other reports" when not doing the basic research to know if the site was actually running Joomla really brings into question both the credibility of the expert as well as the reporter that quoted said expert.
It "could be" any software package that manages Web sites, because any of them "could have" been the application behind the site in question. Naming a specific Web application in such a manner without being certain it is the one managing the site is ethically and morally wrong if not legally.
Amen. Whether Joomla was simply a convenient scapegoat or a likely culprit, the reporters and "security experts" did a shoddy job by unfairly and inaccurately allocating blame to Joomla. Time for a retraction? The days of being able to casually blame open source for being a security risk are long gone. Time for the "security" community to wake up.
Disclosure: I work for Alfresco, which both competes with and partners with/supports the Joomla open-source WCM project. And, yes, I quite like Joomla.