arsTECHNICA
NO REMORSE —
A security researcher with a grudge is dropping Web 0days on innocent users
Exploits published over the past three weeks exposed 160,000 websites to potent attacks.
Dan Goodin - Apr 13, 2019 3:18 pm UTC
Image of ones and zeros with the word
Pixabay
Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.
Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.
Further Reading
Two serious WordPress plugin vulnerabilities are being exploited in the wild
In-the-wild exploits against Social Warfare, a plugin used by 70,000 sites, started three weeks ago. Developers for that plugin quickly patched the flaw but not before sites that used it were hacked.
Scams and online graft
All three waves of exploits caused sites that used the vulnerable plugins to surreptitiously redirect visitors to sites pushing tech-support scams and other forms of online graft. In all three cases, the exploits came after a site called Plugin Vulnerabilities published detailed disclosures on the underlying vulnerabilities. The posts included enough proof-of-concept exploit code and other technical details to make it trivial to hack vulnerable sites. Indeed, some of the code used in the attacks appeared to have been copied and pasted from the Plugin Vulnerabilities posts.
Within hours of Plugin Vulnerabilities publishing the Yellow Pencil Visual Theme and Social Warfare disclosures, the zeroday vulnerabilities were actively exploited. It took 11 days after Plugin Vulnerabilities dropped the Yuzo Related Posts zeroday for in-the-wild exploits to be reported. There were no reports of exploits of any of the vulnerabilities prior to the disclosures.
All three of Plugin Vulnerabilities' zeroday posts came with boilerplate language that said the unnamed author was publishing them to protest "the moderators of the WordPress Support Forum's continued inappropriate behavior." The author told Ars that s/he only tried to notify developers after the zerodays were already published.
"Our current disclosure policy is to full disclose vulnerabilities and then to try to notify the developer through the WordPress Support Forum, though the moderators there… too often just delete those messages and not inform anyone about that," the author wrote in an email.
According to a blog post Social Warfare developer Warfare Plugins published Thursday, here's the timeline for March 21, when Plugin Vulnerabilities dropped the zeroday for that plugin:
02:30 PM (approx.) – An unnamed individual published the exploit for hackers to take advantage of. We don't know the exact time of the release because the individual has hidden the publishing time. Attacks on unsuspecting websites begin almost immediately.
02:59 PM – WordPress discovers the publication of the vulnerability, removes Social Warfare from the WordPress.org repository, and emails our team about the issue.
03:07 PM – In a responsible, respectable way, WordFence publishes their discovery of the publication and vulnerability, giving no details about how to take advantage of the exploit.
03:43 PM – Every member of the Warfare Plugins team is brought up to speed, given tactical instructions, and begins taking action on the situation in each respective area: development, communications, and customer support.
04:21 PM – A notice saying that we are aware of exploit, along with instructions to disable the plugin until patched, was posted to Twitter as well as to our website.
05:37 PM – Warfare Plugins development team makes final code commits to patch the vulnerability and undo any malicious script injection that was causing sites to be redirected. Internal testing begins.
05:58 PM – After rigorous internal testing, and sending a patched version to WordPress for review, the new version of Social Warfare (3.5.3) is released.
06:04 PM – Email to all Social Warfare – Pro customers is sent with details of the vulnerability, and instructions on how to update immediately.
No remorse
The author said s/he scoured both Yuzo Related Posts and Yellow Pencil for security after noticing they had been removed without explanation from the WordPress plugin repository and becoming suspicious. "So while our posts could have led to exploitation, it also [sic] possible that a parallel process is happening," the author wrote.
The author also pointed out that 11 days passed between the disclosure of the Yuzo Related Posts zeroday and the first known reports it was being exploited. Those exploits wouldn't have been possible had the developer patched the vulnerability during that interval, the author said.
Asked if there was any remorse for the innocent end users and website owners who were harmed by the exploits, the author said: "We have no direct knowledge of what any hackers are doing, but it seems likely that our disclosures could have led to exploitation attempts. These full disclosures would have long ago stopped if the moderation of the Support Forum was simply cleaned up, so any damage caused by these could have been avoided, if they would have simply agreed to clean that up."
The author declined to provide a name or identify Plugin Vulnerabilities other than to say it was a service provider that finds vulnerabilities in WordPress plugins. "We are trying to keep ahead of hackers, since our customers pay us to warn them about vulnerabilities in the plugins they use, and it obviously is better to be warning them before they could have been exploited instead of after."
Whois Plugin Vulnerabilities?
The Plugin Vulnerabilities website has a copyright footer on each page that lists White Fir Designs, LLC. Whois records for pluginvulnerabilities.com and whitefirdesign.com also list the owner as White Fir Designs of Greenwood Village, Colorado. A business database search for the state of Colorado shows that White Fir Designs was incorporated in 2006 by someone named John Michael Grillot.
The crux of the author's beef with WordPress support-forum moderators, according to threads such as this one, is that they remove his posts and delete his accounts when he discloses unfixed vulnerabilities in public forums. A recent post on Medium said he was "banned for life" but had vowed to continue the practice indefinitely using made-up accounts. Posts such as this one show Plugin Vulnerabilities' public outrage over WordPress support forums has been brewing since at least 2016.
To be sure, there's plenty of blame to spread around recent exploits. Volunteer-submitted WordPress plugins have long represented the biggest security risk for sites running WordPress, and so far, developers of the open source CMS haven't figured out a way to sufficiently improve the quality. What's more, it often takes far too long for plugin developers to fix critical vulnerabilities and for site administrators to install them. Warfare Plugins' blog post offers one of the best apologies ever for its role in not discovering the critical flaw before it was exploited.
But the bulk of the blame by far goes to a self-described security provider who readily admits to dropping zerodays as a form of protest or, alternatively, as a way to keep customers safe (as if exploit code was necessary to do that). With no apologies and no remorse from the discloser—not to mention a dizzying number of buggy, poorly-audited plugins in the WordPress repository—it wouldn't be surprising to see more zeroday disclosures in the coming days.
This post was updated to remove incorrect details about White Fir Design.
Promoted Comments
Magus` Ars Legatus Legionis et Subscriptor
jump to post
ChrisSD wrote:
I don't think it's entirely fair to shoot the messenger in all of this.
It's completely fair. Wordpress has an avenue for responsible disclosure of vulnerabilities. The "messenger" is choosing not to use it.
It would be one thing if he was actually contacting them responsibly and then they ignored him, but he isn't even trying.
He's being pissy because he posted vulns publicly on the support forums (where they don't belong), got banned, and so now he's started posting them on his own site.
Rombobjörn wrote:
I's not clear to me how much the person behind Plugin Vulnerabilities has tried to contact the plugin developers in private.
None whatsoever.
Rombobjörn wrote:
Is there an email address or a bug tracker to submit reports to? I don't know what the common practice is in the Wordpress community, and I'm not going to spend a day investigating.
Yes, there's a page on it.
28788 posts | registered 11/22/2001
Morley Dotes Ars Praetorian et Subscriptor
jump to post
Sigh...Lots of armchair CMS developers here...
As someone who worked with these types of apps for a couple of decades, and have written a few content management systems (in a couple of languages), and rewritten a couple, and having written WP, Drupal, and...yech...Joomla plugins and themes (as well as a number of sites in said), I have a bit of prior art, here.
First, WP isn't that bad. There's some icky legacy code, but the newer code is actually pretty professionally well-done, and it looks like they are [carefully] refactoring the older codebase.
It's difficult to refactor one of these puppies. Think of it as repaving 405 during rush hour. You need to be very, very careful.
What a CMS gives you, is a whole dumptruck full of work that you don't need to do, so they are popular, and here to stay. It doesn't matter whether or not we like them, they are going to be used, and they are going to be used by the types of people that don't want to do much extra work.
So we can either sit around and whine about them, or roll up our sleeves, and do the best we can to improve their lot. Up to us.
Sometimes, we can only improve the little bit around us. Make sure our own plugins and extensions are as good as possible. We need to keep our own score. We can't fix the world; just a little corner of it.
I've written some fairly massive structures in PHP. It's a suckass language. I'm pretty good with it, but I want to run screaming sometimes, when I run into idiodic crap like functionA(needle, haystack)/functionB(haystack, needle).
It was a thousand times worse when WP was started. It's now actually a reasonable OO language (sort of).
Then you come down to SEI CMMI 5 vs. 3. 5 is "Space Shuttle," and 3 is "where most of us live."
If it's 5, then you're darn tootin' that the developers should have their feet held to the fire for things like this (Can you say "737 Max?" -I knew you could!).
If it's 3, then there is a standard that needs to be set and enforced by each organization doing development. This includes things like "not having our most expensive developer spend all her time doing monkey testing." There needs to be a threshold. If a bad threshold is established, then MANAGEMENT needs to be held accountable. As a former development manager, I can attest to this.
TDD techniques can help, but TDD is fairly new. It also only tests "low-hanging fruit." It tests the things that you can predict, ahead of time. There will always be a need for monkey testing. A lot of snake oil salesmen are selling CI and CT as some kind of "get out of jail free" card. Lot of folks brought that snake oil by the fifty-gallon drum.
So...how's that working out?
Anyone recognize this image?
Image
It's from this famous article. As far as I'm concerned, if you haven't read it, and you call yourself a development manager, then maybe you might want to wander over to Steve's blog and have a quick shufti.
CMMI 5 lives all the way over to the right. The big dip is about CMMI 4.
It's hard to stay in business as a CMMI 5 shop. Really good unicorns can be 4.
Like I said, most shops are 3.
I suspect WP is 3. I think they should be 4. They are basically infrastructure.
They could be more like Drupal, with an iron-fisted control of their repo.
That won't stop ten million randos from releasing plugins from their own sites. Some will be great, some will be basically "malware in a can."
It's always up to the site owner to ensure they are doing the best they can to maintain integrity of their sites. That includes keeping the damn site up to date, regularly policing their plugins, monitoring logs (scary task, that), and not going all "deranged magpie" with their plugins and themes.
I've done all that, and had a couple of sites hacked anyway, because of compromised plugin.
The sites were back up in half an hour, because another thing that site owners should do, is regular backups.
</soapbox>
444 posts | registered 4/18/2016
bitwright Smack-Fu Master, in training
jump to post
I'm surprised by the number of people who seem to be defending what Plugin Vulnerabilities did here. They not only publicly disclosed vulnerabilities, but they provided code for exploiting these vulnerabilities, and did so while repeatedly and purposefully ignoring the proper and established routes for responsibly reporting vulnerabilities and failing to directly notify the plug-in developers themselves.
What's worse is that it seems like Plugin Vulnerabilities did all this in order to drum up attention for their business, which offers a service that scans for security vulnerabilities in Word Press websites and plug-ins.
Given their irresponsible public disclosures and lack of remorse, the cynic in me wonders if this is all just some sort of shake-down. "Pay us or we will expose your vulnerabilities without telling you." That sort of thing.
The Medium post linked to in the article goes into a little more detail on the situation, and I suggest people give it a read if they want to know more.
Anyway, what Plugin Vulnerabilities did was irresponsible and unethical, and not only cause trouble for the developers of the plug-ins and the websites that used them, but put end-users in danger. How people can defend that is beyond me.
13 posts | registered 1/7/2015
gilzow Smack-Fu Master, in training
jump to post
Rombobjörn wrote:
I's not clear to me how much the person behind Plugin Vulnerabilities has tried to contact the plugin developers in private. Is there an email address or a bug tracker to submit reports to? I don't know what the common practice is in the Wordpress community, and I'm not going to spend a day investigating.
If there is no better way to report vulnerabilities than to post publicly to the Wordpress Support Forum, and reports there get silenced, then I find little to blame the researcher for. In that case their persistence at reporting to the forum with new accounts is even laudable. A less responsible person would have given up on the forum and just posted the vulnerabilities on their own website – or even sold them to criminals.
If, on the other hand, better ways of reporting exist, then this is irresponsible behavior.
I've reported numerous issues and it is NOT difficult. You simply have to email plugins@wordpress.org and the team will typically respond within a few hours, often disabling the plugin and contacting the plugin author. But even if you don't know the email address a quick search of "report wordpress plugin security" and its the very first link. Also, finding the contact information for a plugin that is _active_ is also pretty easy (older, non-actively developed plugins can be hard to track someone down, but that's why you contact the plugin team). And even if you can't find anyone, there are still _responsible_ ways to bring attention to the issue without giving the script kiddies the exact code they need to exploit the vulnerability. Look no further than the reporting done by WordFence and Sucuri.
Now, the WordPress plugin ecosystem, security-wise, is a maddening mess. It's not going to get better until the WordPress leadership decides security is a priority for the platform and starts dedicating some real resources to it. But that doesn't mean you should punish ignorant, unaware users of those plugins for your personal vendetta against someone who pissed you off.
1 post | registered 4/13/2019
reader comments
91 with 59 posters participating
Share this story
Share on Facebook
Share on Twitter
Share on Reddit
Dan Goodin
Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications.
Email dan.goodin@arstechnica.com // Twitter @dangoodin001
Channel Ars Technica
← Previous story
Next story →
Related Stories
Sponsored Stories
Powered by
Today on Ars
Store
Subscribe
About Us
RSS Feeds
View Mobile Site
Contact Us
Staff
Advertise with us
Reprints
Newsletter Signup
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection
WIRED Media Group
© 2019 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 5/25/18) and Privacy Policy and Cookie Statement (updated 5/25/18) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment