ButterCMS unreported downtime and security concerns
ButterCMS is a popular tool used to manage content for blogs. Earlier this week, we noticed a potentially severe security incident which triggered the team to remove ButterCMS from our site, and start an in depth investigation into what happened.
Our aim is to share the findings of our investigation to show what can happen when you trust dynamic 3rd parties without continuous verification.
We observed the incident beginning at 08:00 (PT) September 9th, when we noticed a significant increase in errors because the DNS was failing to resolve the hostname. This resulted in an outage of the blog on our website.
When we dug deeper, we noticed the ButterCMS domain had a WhoIs update at the same time as our issues started. A logical reason for this, could’ve been a renewal or a change in ownership of the domain. The latter would be highly concerning.
If the domain was “sniped’ and had fallen into malicious hands, it could have posed a serious security risk, akin to the Polyfill incident, where a change of domain ownership caused a major browser supply chain attack on nearly 500.000 websites. This resulted in malicious code being injected in millions of visitors' browsers resulting in malicious redirects and potentially other stealthy attacks which were not noticed due to client-side security monitoring being under utilized.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/2UBMMKTOFBNNFL4EGUWTJDSCTU.jpg)
