Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Hacked, Attackers Get Root Access

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "A hacker has gained access to WordPress.com servers and site source code was exposed including passwords/API keys for Twitter and Facebook accounts. From the official blog post: 'Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.'"

34 of 168 comments (clear)

  1. the cloud by stoolpigeon · · Score: 5, Insightful

    and that's why I don't want everything in the cloud.

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    1. Re:the cloud by iluvcapra · · Score: 2

      "Keep webservers off the cloud!" is a strange rallying cry.

      --
      Don't blame me, I voted for Baltar.
    2. Re:the cloud by dominious · · Score: 2

      huh? wordpress is "cloud" ? From the site: "WordPress is web software you can use to create a beautiful website or blog"

    3. Re:the cloud by zill · · Score: 4, Insightful

      Care to point out how "the cloud" is involved in this case? Nowhere in the summary or TFA does it mention that the compromised servers were cloud-based.

    4. Re:the cloud by lennier1 · · Score: 5, Informative

      wordpress.COM is a hosting service service which offers Wordpress blog setups out-of-the-box.
      wordpress.ORG is where the software itself is published.

    5. Re:the cloud by Zapotek · · Score: 4, Insightful

      Isn't it obvious? Because the impact of hacking a server containing data from thousands of users is FAR greater than hacking a single desktop.
      That's why the parent is right.

    6. Re:the cloud by Anonymous Coward · · Score: 2, Insightful

      Oblig. http://xkcd.com/538/

      In short... It's more secure because nobody cares about his private data, and even if some hacker did care about his data specifically, whether or not it is on his own computer makes no difference.

      On a large system, such as WordPress, each individual user's data is of insignificant value, but the whole of it may have some value.

      It is easier to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

    7. Re:the cloud by Anonymous Coward · · Score: 4, Insightful

      It does seem that "the cloud" simply means, to most people, "storage and apps on the web". With that common definition I'd have a hard time seeing how it wasn't cloud based. In fact, that's probably why they were hacked. The hackers were looking for that silver lining that every cloud has.

    8. Re:the cloud by icebraining · · Score: 3, Insightful

      But it makes it far more probable.

      --
      Dilbert RSS feed
    9. Re:the cloud by stoolpigeon · · Score: 5, Insightful

      I never said I didn't want "anything" in the cloud. In fact the word I used was "everything". I also placed that word in italics to emphasize that I meant some things I would rather maintain on my own machines, but not all things.

      One of us has rather poor reading skills. That may be the one that is "moronic".

      Furthermore, you have no idea what I do or where most of it takes place. To assert that you do is, well, rather short sighted. One might almost be inclined to say moronic.

      And to decide that the security of one's data is properly handled should be a matter of luck. There has to be a good word for that view, let me think on it a bit and I'm sure it will come to me.

      Oh, and if being called moronic makes you feel bothered at all, I'd recommend keeping that in mind when you throw the word at others. I'm no rocket scientist but that kind of slur really isn't called for.

      --
      It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    10. Re:the cloud by lymond01 · · Score: 2

      "If not, we'll be upset."

      And that's all you will be. Free hosted services have no service agreement, no liability, no enforced responsibility to secure or protect your data.

      Until hosted services need to compensate you for their screwups, many places would prefer to handle their data in house (where they can fire people).

    11. Re:the cloud by postbigbang · · Score: 2

      I stand by my description.

      To look at "cloud" in any way that's different than any system on any network, including the network, is to bash the people that do hard work to protect online public and private resources.

      You can store locally, but your use of the Internet is global, and differentiation with "cloud resources" is to damn professionals and not put the blame where it's due: sysadmins at Wordpress that need a really good spanking.

      --
      ---- Teach Peace. It's Cheaper Than War.
    12. Re:the cloud by xystren · · Score: 2

      It is easier to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

      It is more efficient to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

      Fixed it for ya. The number of users doesn't make it easier, it just makes the potential return on the effort more significant.

    13. Re:the cloud by pasv · · Score: 2

      Try reliably exploiting thousands of browsers on several different platforms and different environments to get at info. Or just send one well crafted email to a low-level employee of a company that controls the targeted information on a cloud and start a spear phishing campaign. Hrm.. Which is harder to do?

    14. Re:the cloud by Fjandr · · Score: 2

      Nowhere in that response is an objection to your description of what "cloud" means. In fact, it seems as though the post implicitly agrees with your definition.

      What it does say is that your claim of "Your suggestion that you don't want to have anything in the cloud is moronic." is entirely incorrect. Which it is.

    15. Re:the cloud by jd · · Score: 2

      Ah, that's a good question. In theory, central servers will have better security than Joe Average will know how to install. In practice, N times as many users will make the target f(N) times as inviting (where f() depends on who is doing the evaluating). This means that it is f(N) times as likely to be attacked by a human but equally likely to be attacked by zombies, worms and maybe the occasional vampire, since those won't care about N or f().

      If you are concerned about human crackers, then f(N) becomes the dominant factor and your server has to be f(N) times as secure in order to maintain the same equivalent risk per person. (More attackers x more attention per attacker != Comfy Sofa.)

      If you are concerned about the total number of attacks, then f(N) will never become significant in comparison to the automatic attacks. Since security has risen by more than the total number of attacks, the risk per person goes down.

      Both of these ways of looking at the problem are valid, but they are also dependent on context. Automatic attacks against a hardened Linux box, OpenBSD or VMS are unlikely to succeed. I'd be much more worried about human attackers against those. Windows boxes, on the other hand, are harder to secure well and the total number of attacks rather than the potential haul for a successful break-in becomes important.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  2. Facebook? Twitter? by Jeremiah+Cornelius · · Score: 5, Insightful

    The Word Press devs promoting integration with Facebook is like handing Sweeney Todd the razor and saying "Shave away, whatever you like."

    It starts with FB managing the identities and next, the discussion threads, and slowly creeps throughout - until WP is a hollow frame on which to drape FB parts.

    Eviler than Google. And that's saying a lot.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
    1. Re:Facebook? Twitter? by JaredOfEuropa · · Score: 2

      Remember why Facebook offers such integration: to Facebook, you are not a customer; you're the product. A product generating data to be sold to marketeers. That is the real purpose of their offering of integration, Facebook currency, Like buttons, and soon to come: what is called the social layer on the WWW. It's all meant to generate valuable data, and it'll get worse and more pervasive as FB moves from the Grow and Consolidate phases to the Cash-in phase. And that is why I am staying well clear of Facebook, despite the fact that it does offer some value to its products, I mean customers.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  3. beyond that... by hxnwix · · Score: 4, Funny

    They stole everything, but, "beyond that, however, it appears information disclosed was limited."

    1. Re:beyond that... by xMrFishx · · Score: 2

      Quick, if we shut our eyes we can't see anything being stolen!

  4. why rob banks? by Anonymous Coward · · Score: 2, Insightful

    that's where the money is.

    say you are a black hat, you gonna go after amazon cloud services or ME as an individual at home.

    individuals are gonna get hit one at a time... the cloud is a really big juicy target

    security through fifty-leven different systems & methods for each record.. kinda security through obfuscation.
    my method will be different from my neighbor

    if we are both on amazon cloud-- you only gotta get in once.

    1. Re:why rob banks? by xMrFishx · · Score: 2

      security through fifty-leven different systems & methods for each record.. kinda security through obfuscation. my method will be different from my neighbor

      Though in the terms of most consumers all that means is your key is under the mat, his is in the plant pot. I keep mine in a hornet's nest but leave the back door open incase I can't get past the hornets.

  5. Saw some unusual activity this week by Anonymous Coward · · Score: 2, Informative

    I was seeing some unusual activity on my blog hosted there. I opened a ticket and they thanked me for the info but never got back to me. Just emailed them regarding the ticket to see if they were related. Good thing I immediately went and changed my password for them. I guess I better change it again just to be safe. Mine is definitely not in the dictionary or guessable so I'm not to worried unless they can decrypt the password file. I would hope they encrypt their password file... I'll probably also have to prepare for more spam as well since this is a different emaill addy from last weeks Epsilon breach...

    -Brad

    1. Re:Saw some unusual activity this week by v1 · · Score: 4, Insightful

      I guess I better change it again just to be safe. Mine is definitely not in the dictionary or guessable so I'm not to worried unless they can decrypt the password file. I would hope they encrypt their password file..

      If they raided the entire fridge, even if it was encrypted, they'd have the keys and thus all the passwords on a silver platter.

      I think what you meant to say is you hope the passwords were hashed .

      --
      I work for the Department of Redundancy Department.
    2. Re:Saw some unusual activity this week by dave420 · · Score: 2

      Hmm. Usually it's a hash of the password that is stored. The entered password is then hashed the same way, and if the result is the same, access is granted. Encrypted data can be unencrypted, but hashed data can't be unhashed.

  6. Re:Refreshing honesty? by yincrash · · Score: 2

    99% of the comments on the wordpress post are exactly like yours. Everyone is treating it like it's not even a problem.

  7. Terrible summary by whh3 · · Score: 2

    Where did the anonymous reader get information regarding the hacker's access to "passwords/API keys for Twitter and Facebook accounts"? On a related note, it appears that the anonymous reader cannot properly copy and paste; It is Automattic and not Automatic.

    --
    remove nospam. to email!
  8. Re: twitter/fb-This has been happening everywhere by Anonymous Coward · · Score: 3, Insightful

    Login: Half the sites I visit these days have a facebook login option to access that site's account. A subset of which no longer really -have- an account management of their own.

    Discussion threads: Almost every site that has discussions threads seems to use Disqus these days.

    Avatars / Profile pictures: Thanks to the use of Disqus, that'll be Gravatar, but even sites that still have their own commenting system seem to be jumping to Gravatar; including WordPress.com .

    I'm not sure who knows more about people anymore.. Google or that little conglomeration of services.

  9. Re:WTF? by Anonymous Coward · · Score: 2, Funny

    It doesn't matter how much you keep trying, Mr. Beck, Slashdot won't hire you after your gig at Fox News is done.

  10. Re:CGI systems by Anonymous Coward · · Score: 2, Insightful

    The only way today I would run a website is with a web server on the outside with no hard disk, and a java virtual machine executing the URL references on a completely separate networked machine using the apache tomcat plugin.

    Wow! You could serve TENS OF USERS with that rig!

  11. Re: twitter/fb-This has been happening everywhere by hedwards · · Score: 2

    I refuse to sign up for sites like that. I played around with OpenID for a bit, but stopped pretty quickly. A single point of failure is really not a good thing.

  12. Re:WTF? by Dishevel · · Score: 3, Informative

    But they don't own me they though rent me with really cool shit.
    Even after they rented me they kept improving the shit they rented me with.
    They win too. The serve me up small text ads. Ones that kind of hang back and allow me to see the stuff I want to see.
    Because they rented me they also can do a better job of making those unobtrusive text ads sometimes useful.
    If they fuck us over then their flock runs away. Then their profits go down. They do not want to do that.
    What they want is to continue to serve me really good ads that make them shitloads of money.
    What I want is really cool shit and ads that don't make me want to tear my eyes out.
    That is why me and Google get along so well.

    --
    Why is it so hard to only have politicians for a few years, then have them go away?
  13. Re: twitter/fb-This has been happening everywhere by Anonymous Coward · · Score: 3, Insightful

    Gravatar is particularly bad because it is uniquely* identifying to your e-mail address.
    (* as far as MD5 is unique for the purposes)

    If you were ever silly enough to use your e-mail address on some random blog to make an anonymous post - falsely trusting that the site wouldn't make this public - and that site decides to add Gravatar -without- making sure it only adds this for non-Anonymous posts... bam. exposed.

    In addition, of course, Gravatar knows who you are, at least by e-mail address (not sure what other information you have to give up). Because Gravatar hosts the avatar images but gets referenced from the original site (or via Disqus), Gravatar essentially knows where you have posted comments.

    That's just two of the security/privacy issues with Gravatar - a websearch will yield many more. But users typically don't care.. they just think it's great that they can go to Gravatar, upload a new profile image, and that's instantly updated on every service you use. That's useful to some. Webmasters also generally don't care, because they believe that -all- their users are the aforementioned type of user. This happened recently at a site and after a short explanation in the discussion system there (not Disqus, thank goodness), many agreed that the webmaster made a booboo and the webmaster made it opt-in a few days later; but the damage was already done. Gravatar essentially had a list of everybody who ever commented there - people who are typically customers of that site - the moment people started viewing pages. And that's presuming Gravatar doesn't immediately scrape the site for datacollection - I know I would if I were evil.

    I've long given up the idea that there's anything I can do completely anonymously - but it still saddens me to see that privacy is yanked away so readily and without any consent, thanks to the masses.

  14. What have I learned here? by __aayuzx6098 · · Score: 4, Interesting

    If large, well-funded companies, even those that specialize in security (!), or whose business depends upon keeping their proprietary info safe, cannot keep their servers secure, what chance does a Mom and Pop operation like mine have?

    This year I spent 4 weeks studying the OS X Server Security Config (400 pp.), and implementing those recommendations. I've looked at best practice guides for all the underlying FOSS tools I use. I monitor logs.

    But it's seems never enough to keep out a determined, skilled hacker. Do I despair? Give up? What lessons can I take from this?