Hacked website title

I just realized 3 of my Grav websites in production changed the name to Hacked by tokeichun

Did a quick search on google and many others popped up, all Grav websites.

Anybody is aware of a security issue?

With a quick git status, I found the title inside site.yaml to be the only thing changed. Nothing else. I fixed the titles and I just changed my admin passwords but it could happen again.
All of these 3 websites are on Grav 1.6, not sure if there was an issue there.

This is the first security breach I've had in many years of webdev.

There was an announcement on Discord about that. It said to upgrade to latest Grav + Admin

Can you link the announcement? I'd like to understand what actually got compromised.

How recent is this? Latest version meaning the current 1.7.28 ?

I'll start updating all of my Grav instances now, but I usually don't do that if I don't work on the website because I don't want to make breaking changes without testing most features.

Sorry, wasn't at my PC, so didn't have a message at hand. Here it is

🔒 🕵️ We’ve seen a number of “hacked by..” attacks on older Grav sites reported today. The vulnerability was mitigated in March of 2021 (Admin 1.10.9+). Please stay safe and update to the latest Grav + Admin versions to ensure you are not at risk for this hack.
Thanks!

Found it thank you. Doesn't really explain much, but I'm going to update all of my sites now.

I guess the vulnerability was only on the website title and they didn't change anything else.

My compromised site: Grav 1.7.28 + admin 1.10.28 - quite current. In which version is the danger really eliminated?

@fosil, Well, above reply says the issue has been mitigated in March 2021...

If site can still be hacked with the latest version, please gather all relevant data and submit an issue at the Admin repo at Github. That's were the devs live...

So...
I'm asked to have a look at fixing this same issue but there is sparse information on what went wrong other than it's been mitigated by updating. Not very useful.
Is it safe to update and doing so will resolve any issues?
What types of things could have been affected or compromised?
Would a content backup and restore into a fresh install be a safer approach?

The Discord (ugh, had to create another account just to see the information) post had no real information and nothing is on the issue tracker that is helpful either.

Any help?

I asked the same thing but didn't get an answer. It would be really helpful to know what went wrong and how it got fixed.

After updating all of my clients' sites (12, 3 of which got compromised) I didn't have any problems and it's the first time I've had a security issue since using Grav.

@filo91:
I asked the same thing but didn’t get an answer. It would be really helpful to know what went wrong and how it got fixed.

Yep. I'm concerned about the depth and breadth of access possible. Some more information would help me mitigate the problem and have confidence going forward. As it stands I can't in good conscience just assume everything is ok for my users.

I believe the exploit and resolution was detailed in Admin/ Unauthenticated Arbitrary YAML Write/Update leads to Code Execution from April 7th 2021, published a day after Admin v1.10.9.