Researchers from cybersecurity firm Char49 have discovered a vulnerability on the official website of Ferrari Auto Concert that could allow attackers to gain access to confidential information. The vulnerability, found in March 2021, was related to the w3 total cache plugin installed on the media.ferrari.com domain that uses an old version of WordPress. The plugin is subject to a severe vulnerability, cve-2019-6715, which could allow unauthorized access to arbitrary files. Researchers identified a file ‘WP-Config.php’, which stores accounting data for the WordPress database in an open format.
While researchers did not dig too deep to maintain responsible disclosure norms, they stated that the vulnerability had the potential to allow access to other files on the web server that could be valuable for attackers. Ferrari, on receiving notification of the vulnerability, fixed it by updating the plugin.
There are no signs that customer or other sensitive information was compromised in this instance. However, the discovery highlights the importance of companies such as Ferrari ensuring the safety and security of their systems.
In March, Ferrari had admitted to being a victim of a ransomware attack during which information about customers was stolen. The attackers demanded a ransom, which Ferrari refused to pay while informing its clients of the breach. In October 2020, the Ransomexx extortion gang claimed to have hacked Ferrari’s IT systems, stolen 6.99 GB of data, and posted it on their leakage website. The source of the documents remains unknown.