A high severity vulnerability found in SecureDrop, a whistleblower submission system used by newsrooms and advocacy groups, prompted a patch from developers and coordination with dozens of prominent news organizations that use the software to communicate with sensitive sources.
The bug, blamed on developer error, leaves the system unable to verify key packages and can grant remote code execution against targets. Some SecureDrop users, including the New York Times, are reinstalling the software as part of a general update.
Other organizations “decided that the chance of an attack was so remote that they do not believe a reinstall is necessary,” SecureDrop developers explained.
The vulnerability has not been spotted in the wild and “would be incredibly difficult to pull off,” according to a bulletin posted on Tuesday afternoon.
While stressing the difficulty of exploitation, SecureDrop developers said it’s “likely that only a nation-state actor with network-level access would have the ability to conduct such a sophisticated man-in-the-middle attack to replace the affected packages with malicious code. Any attacker would also have had to have had invasive, targeted surveillance on either the news organization or Freedom of the Press Foundation to know exactly when the installation was occurring and be able to target that specific network, making the window for such an attack very narrow.”
It makes sense, then, that a target like the New York Times — which has repeatedly found itself to be targeted by nation-state adversaries — would take all precautions.
The Times’ Director of Information Security, Runa Sandvik, tweeted the company’s response on Tuesday. Facing a similar threat model, The Intercept followed suit and directed all sources to their newly updated and protected version of SecureDrop.
SecureDrop is open-source software designed to facilitate secure, anonymous communication between sources and journalists. The software is managed by the Freedom of the Press Foundation and it used at organizations including the New York Times, the Washington Post, the Guardian and the Intercept.