Jamie Oliver Company defends response to malware-ridden website

Representatives of Jamie Oliver insist the celebrity chef has 'no regrets' over the handling of security breakdowns on his website, despite exposing millions of visitors to malware that could have been used to steal sensitive data.

Jamie Oliver Company defends response to malware-ridden website
Jamie Oliver Company defends response to malware-ridden website

Oliver was heavily criticised by security expert Graham Cluley who penned a blog post yesterday, entitled “Jamie Oliver doesn't care that he gave you malware”. In it, he questioned whether, despite assurances, the web development team will be able to get a handle on the infection given the number of times it has been compromised.

Discovered by Malwarbytes, a single line of code containing a bit.ly link triggers a redirection chain to the Fiesta exploit kit (EK). Malwarebytes goes into details of the Fiesta kit in a blog post dated 4 May which includes their analysis of a torrent site that had been infected with the same malware.

This is the third time in four months that the celebrity chef's website has been infected by malware, following infections in March and another incident which occurred sometime between last December and February this year.

JamieOliver.com is a popular website, ranking 548 in the UK and 5617 in the world, with some 10 million or more visitors per month.

Despite the risk to visitors, Oliver has declined to comment specifically on Cluley's criticism that the famous chef has let his fans down by failing to warn them of the risk of using his site.

On his blog, Cluley wrote: “On each occasion, it is innocent internet users who are put at risk – and may find that their passwords have been stolen simply because they visited Jamie Oliver's website for a tasty recipe.”

Malwarebytes, which discovered each of the three infections, says it informed Jamie Oliver's company on each occasion, and the company said it is addressing the security issues, but Cluley is critical of the lack of information for users. “What disturbs me is that there is no warning of the risk on the website or mention of the problem on Jamie Oliver's Twitter account,” he said.

Oliver's Twitter account has 4.4 million followers but there has been no mention of the breach.

“My conclusion has to be that he simply doesn't care,” Cluley said. “And if he doesn't care, why do you imagine that efforts will be made to prevent it from happening again?”

A spokesman for Jamie Oliver hit back, telling SCMagazineUK.com: “We have taken this issue very seriously, taken numerous steps to investigate any vulnerabilities, performed daily scans and increased the level of security drastically to ensure a safe browsing experience for our visitors.​”

He added that the Jamie Oliver Company is working to resolve the problem: "We're working with a number of security companies to find the issue once and for all.  

"We're also running daily manual checks which have detected and cleaned a number of threats although it's important to note that we have had no reports from any users that have been put at risk."

He added: "We've implemented daily rootkit and malware detection scans, also an industry leading web application firewall to protect against all common security attacks, eg SQL injection, cross-site scripting and backdoor protection which has been blocking numerous hacking attempts.”

Despite expressing regret for the security breaches, he said the company had no regrets over its subsequent handling of the incidents. “​We believe we have taken the right steps and have stopped numerous malicious attack attempts as a result. We regret this incident could not be prevented and will do everything we possibly can to fix this challenging issue,” the spokesman said.

Meanwhile, David Emm, principal security researcher at Kaspersky Lab, said: “It is imperative that individuals don't take a lax approach to cyber-security, as the cyber landscape continues to advance as do the threats that come with it. 

"Consumers must be consistently on the ball and develop a ‘security mind-set' as opposed to a one-off approach to install security measures and then forget about them.”

Update: Cluley has since told SC that no one from the Jamie Oliver Group has contacted him about his comments.

Meanwhile, the reaction from the security community has been muted, he said. “Generally news of Jamie Oliver's latest malware infection has been accompanied by the sound of heads being bashed against walls in exasperation.”

And he wasn't surprised that the Jamie Oliver Group hadn't received any complaints from users. “I'm not sure users would necessarily know that their computers had been infected, let alone that they should be moaning at Jamie Oliver about it,” he said.