Security flaw in Vatican website leads to "Lord is an Onion" headline

Security flaw in Vatican website leads to “Lord is an Onion” headline

Security flaw in Vatican website leads to “Lord is an Onion” headline

Screenshot of headline at Vatican News website declaring "The Lord is an Onion." (Credit: Twitter.)

For a short time, the new website of the Secretariat for Communication, www.vaticannews.va, carried a headline, “Pope Francis: The Lord is an Onion.”

Despite what seemed like official confirmation, God is not an onion.

For a short time, the new website of the Secretariat for Communication, www.vaticannews.va, carried the headline, “Pope Francis: The Lord is an Onion.”

The change was made by a Belgian security hacker, Inti De Ceukelaire, who said he was trying to point out the security flaws in the website, which was launched last year.

“I saw the Vatican had a new website a while ago. Whenever a huge website launches a new communication platform, I check it out. I want to see what technologies or software they’re using, how they follow design trends and whether they have innovative features. I don’t necessarily look for vulnerabilities, but this one was pretty obvious,” De Ceukelaire told The Next Web.

In this case, it was the ability for an outsider to inject their own code into the website to change its appearance.

RELATED: Pope Francis dedicates Communications Day Message to ‘fake news’

“I contacted the webmaster from the Vatican on his official e-mail address on nine occasions. The mails were opened and read, as they did actually change something after my initial report,” De Ceukelaire told Crux in an email exchange.

“From there on, they started ignoring my messages for weeks. Then I friendly pointed them out that if they wouldn’t at least consider fixing it before February 7th, I’d go public with [it]. That is an industry-standard security researcher practice called full disclosure,” he said. “Obviously, this is our least preferred scenario, but sometimes webmasters need a little bit of pressure to fix their websites, Vatican or not.”

He made the change, took a screenshot, and sent it to his Twitter followers.

De Ceukelaire told Crux the change was only accessible by visiting a special link, and he published something that is obviously fake news, so people wouldn’t really be misled.

“It’s important to note that I didn’t really perform any illegal hacking: No regular Catholic visiting the website would have seen the story,” adding that the change was “innocent.”

“I didn’t really alter or hack the website, I just found a (really easy) way to make it seem like I did,” said De Ceukelaire.

“It doesn’t really harm anybody, but it sends a clear warning to the Vatican’s webmaster.”

De Ceukelaire told Crux the the Vatican fixed it a few hours after he published it, and then he removed the domain.

The new Vatican News website was launched last December and is the centerpiece of the Vatican’s communication reform aimed at combining the various Vatican offices – such as the former Vatican Radio and CTV, and the newspaper L’Osservatore Romano.

The Secretariat for Communication has not responded to a request from Crux for comment, but an official who did not wish to be identified did confirm the hack, and said it is “being taken seriously.”

De Ceukelaire has made high profile changes before: Last year, he bought the domain names to several links tweeted by Donald Trump, and redirected them to other content, which changed the appearance of Trump’s tweet, usually in an embarrassing way.

De Ceukelaire told Crux no one is really to blame for the security mistakes, since internet security is “really hard.”

“But what IS important is how you respond to security incidents, and this is exactly where the Vatican went wrong. They decided to ignore the risk of someone publishing fake news through their website after being contacted nine times. That’s when I decided I had to do something else to draw their attention,” he said.

RELATED: Vatican communications see new growth after rebranding

De Ceukelaire also wanted to clarify that what he did is not an attack on the Catholic Church.

“I’m a Catholic myself and regret having to send the message this way, even though I followed all ethical procedures,” he told Crux.

And why the headline?

De Ceukelaire told Crux the joke is lost in translation, since his original tweet was for his mostly Dutch-speaking Twitter followers.

He said “The Lord is an Onion” refers to the place he is from.

“They call inhabitants of my town, Aalst, Onions. The real message is: The Lord is with us/one of us. The ‘joke’ wasn’t really supposed to leave my country as other people wouldn’t really understand the reference to an ‘Onion’.”

Latest Stories

Most Read

Latest Stories