Year of Youth 2018

Website Security Flaw in Vatican Website Leads to “Lord is an Onion” Headline

Last edited 11th February 2018

Website Security Flaw in Vatican Website Leads to “Lord is an Onion” Headline

Despite what seemed like official confirmation, God is not an onion.

For a short time, the new website of the Secretariat for Communication, www.vaticannews.va, carried the headline, “Pope Francis: The Lord is an Onion.”

The change was made by a Belgian security hacker, Inti De Ceukelaire, who said he was trying to point out the security flaws in the website, which was launched last year.

“I saw the Vatican had a new website a while ago. Whenever a huge website launches a new communication platform, I check it out. I want to see what technologies or software they’re using, how they follow design trends and whether they have innovative features. I don’t necessarily look for vulnerabilities, but this one was pretty obvious,” De Ceukelaire told The Next Web.

In this case, it was the ability for an outsider to inject their own code into the website to change its appearance.


“I contacted the webmaster from the Vatican on his official e-mail address on nine occasions. The mails were opened and read, as they did actually change something after my initial report,” De Ceukelaire told Crux in an email exchange.

“From there on, they started ignoring my messages for weeks. Then I friendly pointed them out that if they wouldn’t at least consider fixing it before February 7th, I’d go public with [it]. That is an industry-standard security researcher practice called full disclosure,” he said. “Obviously, this is our least preferred scenario, but sometimes webmasters need a little bit of pressure to fix their websites, Vatican or not.”

De Ceukelaire told Crux the change was only accessible by visiting a special link, and he published something that is obviously fake news, so people wouldn’t really be misled.

“It’s important to note that I didn’t really perform any illegal hacking: No regular Catholic visiting the website would have seen the story,” adding that the change was “innocent.”

“I didn’t really alter or hack the website, I just found a (really easy) way to make it seem like I did,” said De Ceukelaire.

“It doesn’t really harm anybody, but it sends a clear warning to the Vatican’s webmaster.”

De Ceukelaire told Crux the the Vatican fixed it a few hours after he published it, and then he removed the domain.

The new Vatican News website was launched last December and is the centerpiece of the Vatican’s communication reform aimed at combining the various Vatican offices - such as the former Vatican Radio and CTV, and the newspaper L’Osservatore Romano.


Visit this article


Viewed (303)    Commented (0)