tl;dr: The Cambridge Analytica site is using a version of Drupal that has an easy XSS exploit using vulnerability SA-CORE-2018-001.

Yesterday there was a major security vulnerability announced in the Drupal Content Management System. All supported versions were open to a trivial XSS (Cross Site Scripting) vulnerability. Just like the Drupalgeddon vulnerability in 2014 this is a very serious issue that is easy to exploit. Drupalgeddon caused thousands of site to be exploited, one of the most common ones is the Panama Papers leak caused partly by an unpatched Drupal installation.

In recent news the biggest information / data leak has been the debacle where Facebook data was used by Cambridge Analytica to affect political voting in a number of locations. You would thing that Cambridge Analytica, holding such key data would be adamant on high grade security. Seems like it is not the case as their main website is running a vulnerable version of Drupal 8. The security issue is marked as critical and has a number of patches rela ted to it.

In the change log details (https://cambridgeanalytica.org/core/CHANGELOG.txt) the version of Drupal running is (as of 03/29/2018 - 16:24) version 8.4.5. The version is dated in February 20th 2018, and fixes another Drupal security issue (SA-CORE-2018-001). This version has had public vulnerabilities for 24 hours now. Because of the trivial nature, it is likely that there are already exploits against the exposed vulnerability (SA-CORE-2018-001).

So it might be that Drupal will again be a tool to leak critical information due to a security issue, should the Cambridge Analytica site built with Drupal 8 have any sensitive data or connections to APIs that do. Currently it seems the Cambridge Analytica Drupal is a multisite install, with at least the following sites vulnerable:

See details on the critical vulnerability in Drupal versions 7 and 8: https://www.drupal.org/sa-core-2018-002