Bangladesh’s most popular news website, Prothom Alo, faced a security breach on Monday morning.
The hacker left a message on the website, highlighting 'security vulnerabilities' and urging the editor and staff to hold a meeting with the hacker to address the security flaws.
The message also warned that other news outlets' websites are similarly at risk.
Cybersecurity expert Raihanul Alam classified the attack as a website defacement, explaining: "In this type of attack, hackers overwrite the original content with a message."
He added that the attackers gained access through vulnerabilities or web shells.
Sajjad Sharif, executive editor of Prothom Alo, told Dhaka Tribune that control of the website has since been restored.
He confirmed that the breach was due to vulnerabilities on the part of Prothom Alo’s CMS developer, Quintype, but assured that the issue has been resolved.
“We are now monitoring the site, and although attackers are still attempting to gain access, these attempts are unsuccessful due to Quintype’s ongoing surveillance,” Sharif added.
Quintype was reportedly unaware of the issue until Prothom Alo reached out. Following the breach, Quintype patched several vulnerabilities and continues to monitor the situation closely.
Dhaka Tribune attempted to contact Quintype for further comment but did not receive any response.
The hacker, identifying himself as "Ridz," told Dhaka Tribune that the breach was related to vulnerabilities in Bold CMS, developed by Quintype Technologies.
He explained that Quintype uses a single database for multiple clients, which can allow unauthorized access to data across different clients if authentication mechanisms are bypassed.
Ridz further revealed that "the APIs provided by Bold CMS are not sufficiently secured, and the frontend framework exposes sensitive information to the public, increasing the risk."
Although Ridz is not affiliated with any hacking group, he described himself as a "24-year-old technology enthusiast with a background in various local news organizations."
He recently won an innovation award and is currently in the process of launching a software company aimed at fostering technological innovation in Bangladesh under the "Made in Bangladesh" banner.
According to Ridz, a senior manager from Prothom Alo's Digital Technology department has contacted him, and they are now collaborating to address the issue.
Ridz warned that other media organizations in Bangladesh are considering migrating to Bold CMS, which could expose them to similar risks.
In addition to Prothom Alo, bdnews24.com and Kalbela have also used Bold CMS in the past.
In September 2023, bdnews24.com experienced an outage lasting at least 10 hours, though Dhaka Tribune could not confirm whether this was linked to the same vulnerability.