Popular Wordpress Plug-in Caught Spamming Is Put On Probation

chicksdaddy writes "Social Media Widget, a free plug-in for the WordPress blogging platform with more than a million downloads, was restored to WordPress's official plugin directory on Thursday, days after it was found injecting WordPress websites with spam links to web sites offering Pay Day Loans. In a post on a support forum for Social Media Widget (SMW), Samuel Wood, a WordPress administrator, said that WordPress was willing to give SMW and its owner a second chance after he claimed to have been the victim of a contract developer gone rogue. 'Naturally we do take a very hard line on spam, and obviously an author putting malicious code into a plugin is enough grounds for us to bring down the ban hammer,' Wood wrote on Friday. 'But there are natural circumstances where an author may not be at fault.' SMW appears to be such a case. It is one of the 20 most popular WordPress add-ons and allows WordPress web site operators to include links to their other social media accounts. Brendan Sheehan, the owner of SMW, said, 'We trusted the wrong people with our plugin code and take full responsibility. We are a marketing company at heart and are not actually developers, so in order to provide major updates and improvements, we had to seek outside help. Some of these people deceived us and abused our trust and naivety...We will not make this mistake again.' Wood said the folks at Wordpress decided to accept that story — but that they're watching SMW closely. 'Basically, the current maintainer is not a professional programmer, and put his trust in the wrong freelancers to do the coding work for him...We'll be watching the plugin for changes,' he said. 'The plugin is back up for now, and as long as it stays clean, it's fine.'"

Well, I guess I won't be using WordPress soon.

That's a nice attitude to have. "The author of this plugin was caught injecting malicious code into every website using it, but we'll keep it on the downloads page so long as he agrees to follow the honour system?"

How fucking stupid do you have to be?

Re:Well, I guess I won't be using WordPress soon.

I don't know why you got modded down because you are absolutely correct.

This "social pariah plugin" still has 4 out of 5 stars at WP and displays only one review mentioning that it works like a trojan.

Re:Well, I guess I won't be using WordPress soon.

I'm guessing because a lot of the WordPress devs read this site. They don't want something like this to become major news because...well, if people were to suddenly realize that any odd plugin they pull in for their WordPress site could contain malicious code...that would kind of defeat the purpose of using the plugins in the first place, and WordPress if you're even remotely security conscious.

Either that or the editors were paid off to meta-mod for the same reason, this is Slashdot after all.

Wordpress blows

[rudy_wayne]

Wordpress is a cancer on the Internet. It really needs to die.

FUNNY THAT IS EXCUSE #6 IN A FAMOUS ANDROID APP !!

And apparently that app works !!

Re:That's fucking stup--

[LordLucless]

I know! We'll write everything in-house instead! Once I've got my custom language compiling, I'll start work on the relational database engine. We should have the site finished some time in 2030.

Sooner or later, you're going to have to trust someone else's code. I guarantee you, whatever projects you work on, you're using someone else's code for something, and probably sight-unseen.

Troll

[Frosty+Piss]

That's fucking par for the course for PHP devs...

And there's the troll.

Re:Troll

Is it still trolling if it's true?

Re:Troll

[Frosty+Piss]

In some cases, yes. But in this case it wasn't true. So there is an extra troll factor added.

Re:Troll

[Frosty+Piss]

Whatever buddy, go back to masturbating in you mom's basement.

Re:Troll

[Frosty+Piss]

Just because you're a php whore doesn't make it any less true.

I'm a PHP Whore? Really?

Why don't you post with your account instead of "Anonymous Coward", and we'll talk about it?

At least I have the BALLS to post with my logged-in user name. Unlike you.

Re:Troll

[phantomfive]

It can be, like in this case where the truth is not related to the article.

Another way to troll by telling the truth is saying something like, "You have never denied that you killed a girl in 1990." It can be a hilarious troll, but it's still a troll.

Re:Troll

Why does it matter who says it? People who can't weigh the argument by its merits will probably ignore this as some sort of spam and those who know the facts will simply agree. That leaves us with people who get personally offended.

Re:Troll

[betterprimate]

Yes, because it's a false generalization. It's not like we are all C&Ping from hotscripts.com. People who do so aren't developers.

PHP is a flexible and powerful language. Not to mention it's by far the most popular scripting language. It's also easy to learn, hence it can easily be abused and/or misused. Something I also see a lot of in JavaScript.

So, yes, GP is a troll.

Re:Troll

Just because you're a php whore doesn't make it any less true.

I'm a PHP Whore? Really?

Why don't you post with your account instead of "Anonymous Coward", and we'll talk about it?

At least I have the BALLS to post with my logged-in user name. Unlike you.

Sure, Mr. Piss, whatever you say.

So, their defense is incompetence?

[jcr]

Truly confidence-inspiring.

-jcr

Re:So, their defense is incompetence?

Truly confidence-inspiring.

-jcr

I would have said, "I was drugged, kidnapped and forced to use this code by Microsofties!"

If anything, it might have given me some sympathy on Slashdot.

Re:So, their defense is incompetence?

Truly confidence-inspiring.

-jcr

I would have said, "I was drugged, kidnapped and forced to use this code after a brutal Tacosnotting!"

If anything, it might have given me some sympathy on Slashdot.

FTFY.

Re:So, their defense is incompetence?

They don't even make an attempt at defending themselves. They've essentially jusy said, "a plugin for Wordpress has been found to contain malicious code but don't worry, we're keeping a close eye on him. After the fact.'

I wonder if the people behind the brute force attacks would have bothered, if they knew that all they had to do to compromise a Wordpress site is release a plugin and let the Wordpress devs do the work for them?

Re:So, their defense is incompetence?

Agreed

Full responsibility = ban

Examples have to be made.

Re:So, their defense is incompetence?

Hang on, I still need to practice copying my username into the body of my post, as if it is somehow relevant. I am a fucking narcissist, after all.

-jcr

Re: So, their defense is incompetence?

Or pay WordPress to do their spamming for them.. WP have no qualms about working with spammers (http://tech.slashdot.org/story/05/03/31/196220/wordpress-banned-by-google-for-spamming)

Re:So, their defense is incompetence?

[jcr]

Kid, I've been signing my posts since before you were even a gleam in the proverbial milkman's eye. I'm not going to stop just because you digg.com newbs get bent out of shape about it.

-jcr

Re:So, their defense is incompetence?

Son, get off my lawn.

-jcr

Re:That's fucking stup--

Firstly I want to make it clear I don't think it's a matter of being a "PHP dev" that makes people stupid, since I'm a freelancer myself and am sometimes forced to use PHP. I wouldn't say I'm stupid or incompetent. I will however say that you're missing the point grandparent was trying to make, mislead as it was. You're acting like the matter of wheel reinventing and copy and pasting is so black and white. It's not, it isn't unreasonable to expect people to take a quick look and test over a new plugin before putting it into production usage. Nor is it unreasonable to spend a few extra dollars to higher someone for a short while to review the other guy's code. You can not trust every single piece of code you see while at the same time reusing other people's code, it's naive to make the leap of logic you did.

I will however say that I end up being hired to fix shitty PHP code more often than not. Kind of worrying... It's why I'm on my way out of this sorry excuse for a career. I don't recommend it.

Should have used...

...Dice!!! Bwahahaha.

marketing

[Mr.+Slippery]

"We are a marketing company at heart..."

IOW, "we are scum whose very purpose in life is to force unwanted messages into your eyes and ears, but trust us that this incident of unwanted messages was accidental."

Re:marketing

[game+kid]

...and "social media" is, like, the pinnacle of modern spam. Indie game developer? "Like us on Facebook for a chance to win Horse Armor!" Big news network? "Don't forget to follow our forecasts on twitter!" Celebrity? "Had #lunch with @CalvinKlein, you should #buyTheirStuff! I did! #shamelessplug #andthelunchtastedgood #LOLhashtags"

In short, SMW was banned for its very purpose--just not permanently enough.

Re:marketing

[houghi]

I think what you want to say is that they are "A bunch of mindless jerks who'll be the first against the wall when the revolution comes."

Curiously enough, an edition of the Wikipedia which conveniently fell through a rift in the time-space continuum from 1000 years in the future describes them as: "A bunch of mindless jerks who were the first against the wall when the revolution came."

hosted by Akamai, Qwest

looking at the malicious URL (i.aaur.net) it seems Akamai ,Qwest are hosting malware now, site registered with hidden whois, take out the malicious domain and their scumbag rackspace DNS and their shit falls apart

Teach them to read diffs!

For f*cks sake, there's no reason a supervisor shouldn't at least run a diff of the code and recompile (if applicable) before pushing a release. Unless there are huge changes, it shouldn't take more than 10 minutes. If anything looks really weird or out of place, start asking questions, preferably to someone else.

Re:Teach them to read diffs!

[crutchy]

it would take torvalds about 3 seconds

"oh, it's php... bin it"

Re:That's fucking stup--

[LordLucless]

You can not trust every single piece of code you see while at the same time reusing other people's code, it's naive to make the leap of logic you did.

And I never said you did; the leap of "logic" was on the part of the GP, not me. He said, and I paraphrase, if you install code you haven't reviewed, you deserve whatever you get. I said that, sooner or later, you must trust some code, not that every random piece of code is worthy of trust.

And in this case, it's quite possible that people did perform a review of this plugin; after all, it hasn't been spamming the whole time it's been available. They performed an update on their plugin without vetting the update. Sure, that's not best practice, but I do the same thing on my personal computer at home all the time, even if I don't do it on my production systems. If I hosted a podunk little blog on Wordpress? I probably wouldn't vet every "security patch" for every plugin I used either.

GP is a great big case of "blame the victim" mentality. Someone was malicious. They deliberately inserted malicious code into a trusted repository.

Re:It is causing me to loose confidence...

As opposed to cause you to tighten confidence?

Marketnig

the next lower life form after attornies

'Nuff said

We are a marketing company at heart and are not actually developers

Re:That's fucking stup--

[Intrepid+imaginaut]

It's a tool like any other, and it definetely has its place. What doesn't have a place is people who reject tools for pseudo philosophical reasons rather than utility.

This is what they deserve.

[betterprimate]

"We trusted the wrong people with our plugin code and take full responsibility. We are a marketing company at heart and are not actually developers, so in order to provide major updates and improvements, we had to seek outside help."

The first headline on their website states, "Blink Web Effects creates innovative web applications and tools - totally free and open source." If they're not developers, why are they a company to begin with? It is really tiresome to see fucking marketing hacks thinking they are enlightened and entitled while they pay some 3rd world country developer to build their company.

This is what they deserve. Good riddance.

Re:This is what they deserve.

[contactus9483]

The sad thing is, the marketing companies that do their homework, spend many hours, testing, securing, and protecting their clients from crap like this will suffer from those that don't. That being said, this is an age old story that has and will continue to repeat, over, and over, and over...

Pull the other one, it's got bells on

[russotto]

A contract programmer pulled a fast one on a marketing company to get their product to spam people. Yes, absolutely, I can believe that. So can my friend the Easter Bunny.

Re:That's fucking stup--

[Mr.+Slippery]

There is no good PHP, it's just horribly hacked together shit, and no one with an ounce of pride uses that language.

foreach (array('PHP', 'Perl', 'Java', 'C', 'C++', 'Javascript') as $language) {

There is no good $language, it's just horribly hacked together shit, and no one with an ounce of pride uses that language.

}

"There does not now, nor will there ever exist, a programming language in which it is the least bit hard to write bad programs." -- Lawrence Flon

Re:That's fucking stup--

[manu0601]

That's fucking par for the course for PHP devs: "I don't know what this code does, but I pasted it into my website so I have a twitter feed now! You should too!

You could say the same thing with Java, except that the result is slower

For the individual programmer.. no laws..

So, we're still ok with a business structure in the software development world where programmers have absolutely zero legal liability for their code (outside of military contracts and medical devices).

Seriously, programmers need to be put on notice and on the same legal liability standards as every other person working in the economy.

Re:For the individual programmer.. no laws..

[lightknight]

Sure, you start paying us like doctors, lawyers, and so on, and we'll talk about liability. But the reality is, the software industry would implode with the requirement for liability insurance, as the stuff we work on is far too complicated for even the brightest of programmers, and the pay is often times way too low. You want to sue a PHP programmer making $40K / year because some el cheapo company hired him / her to bang out a site with no lead time and zero patience? Good luck with that.

Although I'd love to see it happen some days, as it would throw 99% of the programmers out of the industry, and drive the wages up to something unthinkable, with triple iron-clad indemnity agreements and waiting lists for a programmer's time that, let's be honest, would be beautiful payback for some of the bullsh*t that has been pumped through the tech sector this last decade. It would also destroy what's left of the tech industry, but then, I can see vultures in the air overhead, and wonder if it's not already too late.

In short, fix the wages / salaries of programmers, and quit dicking around / playing games. If you think outsourcing companies are going to jump on the idea of legal liability for the code they produce, think again: they know what will happen, and will fold. You can pay us to work, and we will work; or you can pretend to pay us, and we will pretend to work. *shrugs*

Re:For the individual programmer.. no laws..

[greg1104]

Liability insurance for developers does not cost very much. My consulting company has an insurance policy for the work we do, and the premium is based on how much money the company makes. I'm making enough to fund two full time people and my liability policy is around $1000 per year.

The biggest thing that keeps developers safe is the minimum legal costs of taking someone to court for long enough to sort out blame on a software project. If I botch $10K worth of development, it's impossible hire a legal team and beat it out of me with any real profit. I'd have to make a $100K mistake before I'd be worried someone might actually sue me for being incompetent.

Re:For the individual programmer.. no laws..

[mysidia]

Sure, you start paying us like doctors, lawyers, and so on, and we'll talk about liability. But the reality is, the software industry would implode with the requirement for liability insurance, as the stuff we work on is far too complicated for even the brightest of programmers, and the pay is often times way too low

Programming errors and provably intended malice are different things.

Errors are understandable... the company developing the software has a duty to ffix errors, but the individual programmer has limited ability to 'own' the operaitonal characteristics of the result.

Now, if it can be proven the developer inserted malicious code specifically designed to commit a crime or abuse, then that developer has potential criminal and civil liability.

Re:For the individual programmer.. no laws..

There are plenty of trade jobs in the same income brackets as programming which are required to follow basic liability standards for the work they do when it pertains to legal compliance and safety.

Jobs where crappy work that puts others at danger or loss will cost them their livelihood, or worse: most construction sub-contractors, locksmiths, welders, linemen, auto mechanics, accountants, farmers. At least half that list makes more like 2/3 what the average programmer makes.

Part of the issue right now is the programming industry is too broad and has lots of undefined tiers with all these hacks calling themselves "software engineer" or "developer." Most programmers are code toads, little more than moderately skilled production workers. A few who understand computing systems top to bottom are software engineers (less than 1%). A smaller fraction of those elite might rise to the standard of software architects (people smart enough and with enough experience to design *new* things).

Most of the people who can step back and look at the big picture end up doing infrastructure / IT. It requires a broader skill set, the ability to bring skills back to bear that haven't been touched in many months, and the ability to learn entirely new skill on the fly. As a result, it generally pays much better, because people good at it are much more rare than code monkeys who can write Java.

Re:For the individual programmer.. no laws..

Programmers shouldn't worry though. Roughly 80% of their job market will disappear within 20-25 years. Programming with words and statements in text will last only slightly longer than with punch cards.

Many tools to convert flow charts and similar multidimensional intent representations directly to software already exist. I suspect current AI systems like Watson can churn out amazing code all day long, once the computational requirements can be embodied somewhere in the double digits of cubic feet of space and a few kWh, it will make more sense to build server racks of programmers than even to waste time outsourcing them to India of China.

Re:For the individual programmer.. no laws..

I have £1m liability insurance and it cost me about £200 - its commonplace for professional contractors to have such insurance, normally at the upper end of the market though

Re:For the individual programmer.. no laws..

[betterprimate]

here, here!

Re:For the individual programmer.. no laws..

[Captain+Hook]

Liability insurance for developers does not cost very much.

But is that because the programmers/companies which do take out insurance are exactly the group who care about their reputation and business and so would be less likely to need to use the insurance anyway?

If you start mandating that all companies need insurance, then I think you'll see premiums increase because the ratio of bad to good developers will increase.

Re:For the individual programmer.. no laws..

[dodobh]

Programming is the job of writing precise specifications.

A picture might be worth a thousand words, but there's a good reason we have books of only words, and not merely picture books.

Word Press? Not so much...

[contactus9483]

Shit like this, is exactly why I do not recommend using Word Press. I mean seriously, WP devs you are in action condoning black hat hackers. Awww... let's give them a second chance to abuse the millions of users that trust us... they said they were sorry... :O *blnk *blink *blink Really!?!

shit happens

when you contract your project out to some random unknown asian or russian (or african) through online "freelance" services

Re:That's fucking stup--

You could say the same copy and paste stuff about Javascript and Jquery.

It's like saying only compiled languages qualify as programming.

Hard line on spam

Naturally we do take a very hard line on spam...

Yes, of course, it's not like WordPress got caught spamming themselves.

Re:That's fucking stup--

Nah, it's not slower anymore. It just takes up more RAM.

Re:That's fucking stup--

[betterprimate]

I know! We'll write everything in-house instead! Once I've got my custom language compiling, I'll start work on the relational database engine. We should have the site finished some time in 2030.

You do realize we are talking about a Wordpress widget?

Re:That's fucking stup--

Per my experience with PHP, your one-liner will eventually break in some strange way. It really is the worst.

Re:That's fucking stup--

[LordLucless]

GP made no such qualification. He was speaking in general about how stupid it was to reuse code you hadn't written yourself.

Re:That's fucking stup--

I recently broke my WordPress cherry, and I have to say the experience was extremely frustrating because 90% of the resources are not aimed at "developers" or even "PHP developers". Trying to find any real information about the API was incredibly frustrating.

The entire WordPress ecosystem seems to oriented towards semi-technical users who just want to click this thing and copy some files around. Basically people with blogs and brochure-ware sites who want a twitter icon without opening a text editor.

Re:That's fucking stup--

[betterprimate]

Cool. Sorry I missed that. I shouldn't've presumed his comment was in direct response to TFS.

Re:That's fucking stup--

[mysidia]

Sooner or later, you're going to have to trust someone else's code. I guarantee you, whatever projects you work on, you're using someone else's code for something, and probably sight-unseen.

It's not everyone's code you can't trust.

It's only (1) the code you will actually distribute with your software, and (2) uncommon dependencies that are not part of widely used software packages.

And even then, you have to be able to trust the code of people working for you; e.g. the coders you hire. If you can't do that, then you can't get anything done.

So you should check into their background, and make sure the people you hire to make your code are either under a good contract or surety bond that protects your interest, and effects some risk transfer by providing you the right to sue for damages, especially, in case of obvious or provable malice.

That way you align your worker's interest with yours, by ensuring that if they conduct an intentional abuse they are at risk.

Re:That's fucking stup--

[mysidia]

I will however say that I end up being hired to fix shitty PHP code more often than not. Kind of worrying... It's why I'm on my way out of this sorry excuse for a career. I don't recommend it.

It sounds challenging... then again rewrite may be better than fixing, as long as the pay is good....

China

[zaax]

This is the problem of subcontracting to China, who knows what else they have put in that hasn't shown up yet but is slowly attacking the USA's defences.

Re: China

As the PR officer of The Association of Scapegoated Jews, Blacks and Arabs, I'd like to thank you for helping shift focus towards the inscrutable Chinese. They are a truly dishonest race that is nothing like the financially generous Jew, the unincarcerated black and the non-wife beating Arab.

Whatev, that plugin sucks anyway

I've been doing wordpress development for about ten years, and FWIW, I've found Shareaholic's "Sexy Bookmarks" looks better, works better, and gets a better response.

Despite the stupid name(s). Here's a tip: If people find your name is too "sexy," re-branding it as somethign to do with drug/alcohol abuse is NOT your best alternative.

true and false

[phorm]

It's not really any less true for a good many other languages...

Re:It is causing me to loose confidence...

I like wordpress because it is simple, robust and easy to secure

LOLOOLOLOL

Here's a better troll

"I'm not a real programmer. I throw together things until it works then I move on. The real programmers will say "Yeah it works but you're leaking memory everywhere. Perhaps we should fix that." I’ll just restart Apache every 10 requests." -- PHP creator Rasmus Lerdorf

"I was really, really bad at writing parsers. I still am really bad at writing parsers." -- PHP creator Rasmus Lerdorf

"For all the folks getting excited about my quotes. Here is another - Yes, I am a terrible coder, but I am probably still better than you :)" -- PHP creator Rasmus Lerdorf

Any programmer reading the stuff this guys says should become properly terrified of PHP. If they aren't, I don't want to use any software they work on.