WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. "This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user's password is collected (in cleartext) and sent to his server. WordPress hasn't moved in to ban the plugin just yet, despite user complaints.

plugin has been suppressed from the wordpress site

[Herve5]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

Truly irresponsible

I see no good reason that the plugin hasn't been banned. It's behaving in a completely unreasonable manner when it's sending passwords to the "developer." There's also no good reason to allow such a takeover. Forking a plugin makes sense, sure, but not a takeover like this.

It also seems certain that these passwords are being abused, and the developer would appear to be a likely suspect. The developer should be extradited to face charges for this. It's malicious; there's certainly no legitimate reason to send passwords to the developer.

Re:Truly irresponsible

[Dunbal]

The developer should be extradited

Why? He didn't hack a movie studio or a music studio, nor did he hack the government. Extradited, hahahahahahahahaha oh wait you were serious...

Re:Truly irresponsible

Why? He didn't hack a movie studio or a music studio, nor did he hack the government. Extradited, hahahahahahahahaha oh wait you were serious...

Extradited? Don't be silly. We don't request extradition of overseas nationals. Why bother with that when we can simply add their name to the drone kill list?

What do you mean by "forcibly taken over"

This is ludicrous. Can you define what constitute "forciblity"?

Re:What do you mean by "forcibly taken over"

Can you define what constitute "forciblity"?

Yes. I can also spell "forcibly", incidentally. It means that the plugin was taken over without the consent of the original developer. It may not be the best choice of word, but its meaning seems perfectly clear.

Can you define what constitutes "ludicrous"?

Re:What do you mean by "forcibly taken over"

Can you define what constitute "forciblity"?

Yes. I can also spell "forcibly", incidentally. It means that the plugin was taken over without the consent of the original developer. It may not be the best choice of word, but its meaning seems perfectly clear.

Can you define what constitutes "ludicrous"?

Ain't he a rapper?

Re:What do you mean by "forcibly taken over"

No, that was his sister demonstarting her forcibility.

This took longer to happen than I thought

[dbIII]

Seriously guys, I know it's the quick and lazy way to put together a website but it's obvious that this sort of thing is going to happen in that creaking pile of php intentional or otherwise.

Re:This took longer to happen than I thought

Seriously guys, I know it's the quick and lazy way to put together a website but it's obvious that this sort of thing is going to happen in that creaking pile of php intentional or otherwise.

Quick and dirty full of holes and security issues. And don't forget that WP runs on about 50% of the websites worldwide...

Re:This took longer to happen than I thought

[Bengie]

The real question is why the web daemon even had permission to modify files.

Re: This took longer to happen than I thought

Not to be picky. I think it is just over 20%.

Re:This took longer to happen than I thought

Presumably so it could update itself through the web interface. I believe WordPress by default has an update mechanism and an ability to download and install plugins straight through the admin interface, and that requires the web daemon to have permission to modify itself.

Re:This took longer to happen than I thought

[phantomfive]

Indeed, it might be said that wordpress itself is malware.

Re:This took longer to happen than I thought

[Bengie]

That's just asking for trouble. There should be a separate helper interface daemon that is heavily locked down and well tested that can modify files.

Whaat?

Security issues with WordPress? What is this world coming to?

"So... it takes an hour to be compromised?" he asks, using a word he must have recently heard at an IT Manager's round table somewhere.
"No, it takes about 30 seconds to compromise, but on average it takes about an hour for the robots to find it." I reply.

Re:Whaat?

I didn't know that THE BOFH posted as AC around here ;)

What it means to run a program.

Have people forgotten what it means to run a program? It seems that script languages, sandbox runtime environments and checked code have numbed people to the realities of running code from the internet.

Chill. It's just a buggy update feature.

[Qbertino]

I RTFA an apparently it's just a bug in the Plugins auto-update. Albeight a WP bug, that has the potential to bring down the entire site and/or expose the sites core. But we're talking about WP, so no big surprise here.

Important rule for WP: Avoid plugins where possible, they're often even worse than legacy WP code itself.

Re:Chill. It's just a buggy update feature.

Jesus man, RTFA once in a while. It's completely, 100%, malicious intent. It adds a admin user to the site with the devs name/group name, and in case he couldn't login he used the backdoor to upload custom php script onto the installation to modify the wp-options file.

When is the last time you've "accidentally" introduced a bug that send all user logins to a server in India in cleartext by mistake? Does the fact that this plugin was dead for a year and suddenly has this new superpower not worry you?

Re:Chill. It's just a buggy update feature.

That comment was about the "forcibly taken over" part, not the "sending passwords to India" part. The original developer did not add the malicious code.

Re:Chill. It's just a buggy update feature.

Bingo.

It was dead for a year and suddenly every single commit to the code was malicious. This is not a development error, this is intentional fucking over of the plugins userbase by a new developer.

It's not a buggy update feature. It's not something to be chill about. Whoever updated to this latest version of the plugin has a problem on his hands.

Re:Chill. It's just a buggy update feature.

And to make it crystal clear: This isn't a case where someone exploited an auto-update feature to publish this malicious version.

This is someone gaining access to the original dev account on WordPress, adding himself in as a developer, and publishing commits to the plugin for all to see with the malicious code inside.

I mean, the article has the images of the plugins repo on WP, are you intentionally ignoring this?

Re:Chill. It's just a buggy update feature.

First rule of Wordpress: never use any plugins or themes
Second rule of Wordpress: never use stock wordpress without additional plugins to fix security

Make sure to follow both rules at all times or don't use Wordpress at all.

Re: Chill. It's just a buggy update feature.

A bug in auto-update sends my password in cleartext? If that is true then WordPress is malware.

Re:Chill. It's just a buggy update feature.

[drinkypoo]

First rule of Wordpress: never use

Here, FTFY: Your comment could have just stopped here. You could also omit the first three words without compromising it in any relevant way.

Re:Chill. It's just a buggy update feature.

[penguinoid]

Hm, you just compressed 230 characters into 9, a 96% lossless compression ratio. Even better, the compressed file is still readable and can in fact be read much faster. If you could write a program to do this automatically, it could save us all so much reading time.

PS: I tried to write a program to compress text to it's bare meaning, but it was buggy. When I tested it on the latest politician's speech, it just outputted "null".

Re:Chill. It's just a buggy update feature.

PS: I tried to write a program to compress text to it's bare meaning, but it was buggy. When I tested it on the latest politician's speech, it just outputted "null".

To me, it looks like it was working as intended.

Re:Chill. It's just a buggy update feature.

[JustAnotherOldGuy]

Wordpress can be made pretty safe, but the default install is subject to all sorts of mischief and malicious twiddling. And the plugins are the Achilles Heel of Wordpress, no doubt about it.

There are, however, several good plugins that can be used to harden Wordpress, most notably is one called 'Wordfence'. I don't do many WP installs but for me it's absolute must-have plugin; it has loads of options to harden the system.

Outside of that, do all the usual stuff- move the config file, make it read-only, don't use gobs of sketchy plugins, and exercise some restraint with what you do install. The fewer the plugins, the better. Use long, ugly passwords, no 'admin' user, etc etc etc.

There are actually quite a few things that can be done to secure Wordpress, although I'd be the first person to say that the end user shouldn't have to do those things- they should be baked in as defaults.

Re:plugin has been suppressed from the wordpress s

[Hognoxious]

So somebody did the needful?

Re:plugin has been suppressed from the wordpress s

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

So; wordpress reacts to bad publicity not to threats to their users. That's actually worse than if they did nothing because if they did nothing we'd hear about it all the time whereas now the questions are, "What else did Wordpress manage to close down just before it got written about on Slashdot? What else is Wordpress hiding?"

Somewhere there are wordpress users who have installed this and either have not yet had their credentials stolen or have not yet had them used against them. Notifying their users should be the top priority. This should be front page on their site. This should be the top news on their blog. There is nothing there. Wordpress is still hiding things and letting down their users. This posting is not nearly aggressive enough.

Where's the 4/7th Cav When You Need Them?

Because they would mop up these Indians and be done with them before you can say Geronimo!

Re:Where's the 4/7th Cav When You Need Them?

Because they would mop up these Indians and be done with them before you can say Geronimo!

You fell victim to one of the classic blunders - The most famous of which is "never get involved in a land war in Asia"

fuck off SEO

we haven't needed SEO in years. why do these asshats still exist? all they do is perpetuate spam, and con website owners out of their cash.

Re:fuck off SEO

Send them off a raised drawbridge with the UX "experts" in the back seat!

Re:fuck off SEO

Because India is a shithole of a country that should just be nuked off the map.

Re:plugin has been suppressed from the wordpress s

[thegarbz]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

There is typically a delay between submitting a story to Slashdot and it actually being posted. This delay can account for changing facts in a case that is unfolding as the reporting on it progresses.

What we need is more rigour on posting updates to stories where the facts change while the story is still fresh.

Re:plugin has been suppressed from the wordpress s

[LittleBigScript]

So, you're saying they don't need the BadPress(tm)?

Re:plugin has been suppressed from the wordpress s

[Sadsfae]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

So; wordpress reacts to bad publicity not to threats to their users. That's actually worse than if they did nothing because if they did nothing we'd hear about it all the time whereas now the questions are, "What else did Wordpress manage to close down just before it got written about on Slashdot? What else is Wordpress hiding?"

Somewhere there are wordpress users who have installed this and either have not yet had their credentials stolen or have not yet had them used against them. Notifying their users should be the top priority. This should be front page on their site. This should be the top news on their blog. There is nothing there. Wordpress is still hiding things and letting down their users. This posting is not nearly aggressive enough.

Wordpress.com is very different than the community wordpress.org, one is a commercial entity that offers free and paid hosted wordpress services and the latter is the upstream/open source wordpress community that offers wordpress for self-hosting.

Neither of these entities are responsible for or have any control over 3rd party plugins like the one mentioned in the article. This would be like blaming Microsoft for someone releasing Win32 shareware that hijacked credentials.

Re:plugin has been suppressed from the wordpress s

[invictusvoyd]

You mean stopped using wordpress ?

Re:plugin has been suppressed from the wordpress s

[Dunbal]

Microsoft gets blamed for security holes all the time, and these are exploited by 3rd parties. Your last point makes no sense.

Can a DDoS be justified here?

The malware plugin sends login credentials of any user to a server run by the "developer." That has the potential to compromise a very large number of usernames and passwords. Because many users frequently reuse passwords, that has the potential to compromise accounts across a wide variety of services. There's a lot of damage that can be inflicted on unsuspecting users. Preventing the plugin from being distributed doesn't clean up the damage from existing installations. Normally I despise DDoS attacks because they're an offensive measure. However, in this case, a DDoS against the developer's server could actually mitigate more damage than it causes. There's no other easy way to take down the server without the assistance of law enforcement or whoever is hosting the server. It seems like a DDoS attack might actually be an ethical action to prevent more people from having their credentials compromised. Ideally, someone could compromise the developer's server and delete whatever data had been harvested. But it seems like a DDoS might actually be a more practical approach for mitigation. Can a DDoS be justified in any situation? I've always considered a DDoS attack unjustifiable, but in a situation like this, can such an attack be justified?

Re:plugin has been suppressed from the wordpress s

[Sax+Russell+5449D29A]

I believe somebody just rebooted the server.

Re:plugin has been suppressed from the wordpress s

[Megol]

Your post doesn't make sense! Observe that we aren't talking about a bug or backdoor in a MS product, just that software that uses the public API to do something. So do you really blame MS when someone downloads something that can run on a Windows machine and it happens to be malware?

If so I hope you blame Linus whenever someone installs some malware on their Linux machine...

What's the world coming to?

[CanadianMacFan]

Where is the pride that people use to have? At least use encryption to send the passwords back to your site! I mean, what's the point of gathering all of those passwords if you are going to send them plain text for all of the world to see. Probably sent them directly to the final site too instead of round about way that's hard to trace.

Hay timmy, DA

[LifesABeach]

What's GD name OTF plug in?

Re:Hay timmy, DA

[LifesABeach]

JC! I had to RTFA to find out it's called "Custom Content Type Manager (CCTM)"

Re:Hay timmy, DA

[drinkypoo]

Amusingly, custom content types are a core Drupal feature. So here's another example of people trying to get functionality that's already in Drupal into their crappy WordPress install... and getting taken advantage of as a result.

Yeah, nobody's perfect, Drupal had a hole in the database security layer not too long ago... but it ain't WordPress. Even if that's the best thing you can say about it, it's still inexplicable why people still choose to install WP.

Re:Hay timmy, DA

No, it's not.

Custom post types have been supported in Wordpress, in core, for _years_. You just write a tiny bit of code in a plugin to enable them.

This is one of many competing plugins that provides the ability to manage them from the front end, which most serious developers would consider to be a bad thing.

Drupal's database layer hole was pretty serious, and in core, not in a third party plugin, right?

Does Drupal core autoupdate for security patches like Wordpress core has done (again, for a couple of years?)

Re:Hay timmy, DA

Does Drupal core autoupdate for security patches like Wordpress core has done (again, for a couple of years?)

Only if you suck Acquia's cock.

Re:plugin has been suppressed from the wordpress s

Is that because WP is fast or Slashdot is slow?

Re:Is WordPress...

So I was writing a blog post on Wordpress

And suddenly, it's like, "BEEP BEEP BEEP" and then, like, half my blog post was gone.

And I was like, "huh?"

It devoured my blog post. It was a really good blog post.

And then I had to write it again, and I had to do it fast so it wasn't as good.

It's kind of... a bummer.

Re: plugin has been suppressed from the wordpress

[hackwrench]

I t depends. Does Microsoft make the theoretical program available through Windows Store?

Re:plugin has been suppressed from the wordpress s

So business as usual.
Users? Fuck them, they don't pay.

Re:Is WordPress...

[__aaclcg7560]

And suddenly, it's like, "BEEP BEEP BEEP" and then, like, half my blog post was gone.

You should have composed your blog post in a separate text file, copy and paste into WordPress editor, and finalized the blog post.

Re:plugin has been suppressed from the wordpress s

[TechyImmigrant]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

WP deserve all the criticism they get. Publishing a plugin architecture so open to privilege escalation should be illegal. They claim to be secure against common attacks. Yet privilege escalation via plugin doesn't count?

From the Wordpress web site.. "Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top 10 list identified by The Open Web Application Security Project (OWASP) as common security vulnerabilities, which are discussed in this document."

Re:Is WordPress...

[JustAnotherOldGuy]

You should have composed your blog post in a separate text file, copy and paste into WordPress editor, and finalized the blog post.

Whoosh!

Enlightenment: https://www.youtube.com/watch?...

Re:plugin has been suppressed from the wordpress s

[__aaclcg7560]

What we need is more rigour on posting updates to stories where the facts change while the story is still fresh.

Like how The New York Times kept changing the content of an exclusive story on its website?

http://www.poynter.org/2015/new-york-times-changes-its-hillary-clinton-story-again/360545/

Re:Is WordPress...

[__aaclcg7560]

Whoosh!

I'm using a PC. That's why I gave my advice. ;)

The name of the plugin belongs in the summary

[rcharbon]

Doesn't it?

Re:Is WordPress...

[KGIII]

I read that not once, but twice, as "I'm used to being PC." I guffawed.

Re:plugin has been suppressed from the wordpress s

Even if they had, you'd still find a reason to piss your knickers and whinge.

Re:plugin has been suppressed from the wordpress s

Like how The New York Times kept changing the content of an exclusive story on its website?

Yes. Exactly like that.

Re:plugin has been suppressed from the wordpress s

[KGIII]

> Publishing a plugin architecture so open to privilege escalation should be illegal.

Really? Illegal? Really?

Re:plugin has been suppressed from the wordpress s

wordpress.org is hosting this plugin

Re:Is WordPress...

[__aaclcg7560]

I read that not once, but twice, as "I'm used to being PC." I guffawed.

I want to be a Mac. But my insurance doesn't cover those kinds of computational operations.

Re:plugin has been suppressed from the wordpress s

[meadow]

Only a ban on the plugin? No prosecution? He committed a serious felony against thousands of people. So the government does nothing about it? Yeah, because they only shit their pants when someone tries to hack into their systems. To hell with the public.

PHP: The gift that keeps on giving.

Anyone who writes PHP or uses PHP software needs to be shot into the sun.

It would solve so many of the worlds problems.

Our longstanding policy: PHP on your resume? Into the shredder it goes after it gets passed around and laughed at. Even the janitor gets a good laugh from it.

Re:plugin has been suppressed from the wordpress s

[thegarbz]

Like how The New York Times kept changing the content of an exclusive story on its website?

NO! Not at all. Not even in the slightest. I never said "change the content". I said "Posting Updates".

I.e. if I had an edit button above I would write:
Update 06/03/16: It seems most Slashdot posters think everything is some nefarious conspiracy.

Re:plugin has been suppressed from the wordpress s

[TechyImmigrant]

> Publishing a plugin architecture so open to privilege escalation should be illegal.

Really? Illegal? Really?

Yes. When you also make claims that your software is secure.

Re: Scumbag dot is a scumbag, film at 11

Another victim of outsourcing turns to bitter racism for comfort.

Re: plugin has been suppressed from the wordpress

[Otto]

Actually, as soon as we were notified of the issue, the plugin was closed and hidden on a temporary basis until we had time to evaluate the problem. Once we had done so, I personally created a new version of the plugin, without the malicious code, and pushed it to the repository in order to get the update out to the affected users. The existing committers were all removed, leaving the plugin entirely in the hands of the plugin team. The latest version is now safe and will not be otherwise until we determine the full details of what happened here.

Full disclosure is great, but some advance notice longer than a day or so helps a lot. We will always protect our users to the best of our ability, but sometimes, we get blind sided. It happens. Nobody posts about the dozens of other times we fix things before they get exploited. Not judging, just saying.