Hi there. I have a self-hosted Ghost instance. This week, my site had its posts and pages all deleted via the Zapier integration API key by some malicious actor. I had not used the integration in my Zapier account, but I was able to see in the History logs that all the malicious activity happened via Zapier.
My question is, where are the security vulnerabilities I should add guards for? I have 2FA on and use randomly generated passwords for all my accounts, so I’ve rotated my passwords and the Zapier integration key. The only other possible vulnerability I can imagine is the malicious actor somehow getting into my server.
What version of Ghost are you on? SQL injection in Content API · Advisory · TryGhost/Ghost · GitHub could potentially have been used to exfiltrate the admin api key. If you aren’t on the latest ghost, upgrading and then rolling your keys again and resetting all staff passwords would be a good start.
(In other words, it might not be the case that the hack came in via Zapier, but that attackers got the admin api key you generated for Zapier.)
1 Like
Hi Cathy! You’re absolutely right. I just checked my versioning and I’m a major version behind. My suspicion is also that the attackers got the admin API key for Zapier, which I’ve never used myself. I did upgrade today!
Great. So I’d definitely take a look for any integrations (look in the custom tab) that you don’t expect to be there and remove them, and I’d ‘regenerate’ any keys for anything I did recognize. Also check your staff listing for any unexpected staff or staff with unexpected emails, and remove them. Regenerate staff tokens for all staff, including the owner.
(And just a note: I don’t work for Ghost. This is my unofficial Ghost power user opinion, and I hope that you’ll get additional replies with additional thoughts on what to check.)
