SecureDrop, a tool used by dozens of news organizations to receive anonymous news tips through an encrypted platform, has announced its system contained a “vulnerability” that dates back to 2015. The flaw would have been extremely difficult to exploit, and there’s no evidence that any organization’s server was compromised.
The Freedom of the Press Foundation, which manages the software, says the flaw poses “very little risk.” It released a fix to news organizations last week, and announced it publicly on Tuesday.
During a very short window of time, as a SecureDrop server was being set up, a sophisticated attacker with advance knowledge of the installation could hypothetically have attacked the server. Sources’ identities would still be concealed, but the attacker could have gained access to all the material sent between sources and journalists.
Cybersecurity experts say that while it’s impossible to definitively prove that no attack occurred, the odds are extremely low.
If it did happen, says Matthew Green, a cryptographer at Johns Hopkins University, “it seems like there’s a good chance you would see some evidence.”
But after examining installation logs from multiple organizations, “we have no evidence that this happened, or indeed anyone knows about the bug,” says Jennifer Helsby, the lead developer of the SecureDrop platform.
SecureDrop is an open-source tool used by many news organizations, including NPR, as a way for sources to provide documents and information without revealing their identity. Versions of the tool date back to 2013, and are designed to enable whistleblowers to work with investigative reporters.
Many organizations, including NPR, have now reinstalled SecureDrop with the newly released fix.
Helsby suggests worried sources who want to use SecureDrop could encrypt data before they upload it, and use a tool provided in the security-oriented Tails operating system to strip metadata from documents.
“Like all software, there’s always the chance of vulnerabilities,” she says.
Nicholas Weaver, a computer scientist at the University of California, Berkeley, notes a determined attacker could always send a person to physically compromise a server.
And Green says that while the SecureDrop system is designed to provide some protection even if the server is compromised, “there’s no way to build a perfectly secure system for this purpose.” Sources should take additional steps to protect themselves, like never sending original documents and avoiding scanners, which can add revealing watermarks, he says.