Hackers briefly hijacked The Washington Post‘s mobile website and displayed messages critical of the news media and Saudi Arabia, according to a security researcher who documented the hack.
Data collected by North Carolina-based computer scientist Kenn White shows no evidence the people responsible used the hack in an attempt to install malware on the devices of people visiting the site. That’s a lucky break, since the attackers appeared to have complete control over m.washingtonpost.com for what White estimated was about 30 minutes. Instead, they used their control of the subdomain to display hacktivist messages including “The media is always lying” and “Saudi Arabia and its allies are killing hundreds of Yemens people [sic] every day!”
A Washington Post executive told CNN the page was redirected to a site claiming affiliation with the Syrian Electronic Army hacktivist group. Company engineers were redirecting mobile users to the desktop version of its site as they worked through the problem.
According to a post published by Motherboard someone claiming responsibility for the hack said it was executed by compromising one or more accounts at content delivery network Instart Logic. The person told the news service the hacking group also had access to NewsCorp, US News, and “other non-media companies” such as Newrelic, Business.com, Getty Images, and Quora. The person declined to say exactly how the hack involving Instart Logic was carried out.
The episode appears to be little more than an inconsequential hacktivist stunt, but White said it might have been much worse. And of course, if a rag-tag band of hacktivists can commandeer a site that’s visited by millions of people, it stands to reason it could also be pierced by criminally motivated hackers who would keep a much lower profile. White said he documented the compromise by using a laboratory PC that mimicked a smartphone to repeatedly visit the compromised subdomain.