Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

Posted by timothy on from the considered-harmful dept.

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. "This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user's password is collected (in cleartext) and sent to his server. WordPress hasn't moved in to ban the plugin just yet, despite user complaints.

38 of 76 comments (clear)

  1. plugin has been suppressed from the wordpress site by Herve5 · · Score: 4, Informative

    I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

    --
    Herve S.
  2. This took longer to happen than I thought by dbIII · · Score: 2, Informative

    Seriously guys, I know it's the quick and lazy way to put together a website but it's obvious that this sort of thing is going to happen in that creaking pile of php intentional or otherwise.

    1. Re:This took longer to happen than I thought by Bengie · · Score: 1

      The real question is why the web daemon even had permission to modify files.

    2. Re:This took longer to happen than I thought by phantomfive · · Score: 2

      Indeed, it might be said that wordpress itself is malware.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:This took longer to happen than I thought by Bengie · · Score: 1

      That's just asking for trouble. There should be a separate helper interface daemon that is heavily locked down and well tested that can modify files.

  3. Re:plugin has been suppressed from the wordpress s by Hognoxious · · Score: 3, Funny

    So somebody did the needful?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  4. Re:Chill. It's just a buggy update feature. by Anonymous Coward · · Score: 2, Informative

    Jesus man, RTFA once in a while. It's completely, 100%, malicious intent. It adds a admin user to the site with the devs name/group name, and in case he couldn't login he used the backdoor to upload custom php script onto the installation to modify the wp-options file.

    When is the last time you've "accidentally" introduced a bug that send all user logins to a server in India in cleartext by mistake? Does the fact that this plugin was dead for a year and suddenly has this new superpower not worry you?

  5. Re:plugin has been suppressed from the wordpress s by Anonymous Coward · · Score: 1

    I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

    So; wordpress reacts to bad publicity not to threats to their users. That's actually worse than if they did nothing because if they did nothing we'd hear about it all the time whereas now the questions are, "What else did Wordpress manage to close down just before it got written about on Slashdot? What else is Wordpress hiding?"

    Somewhere there are wordpress users who have installed this and either have not yet had their credentials stolen or have not yet had them used against them. Notifying their users should be the top priority. This should be front page on their site. This should be the top news on their blog. There is nothing there. Wordpress is still hiding things and letting down their users. This posting is not nearly aggressive enough.

  6. Re:Chill. It's just a buggy update feature. by Anonymous Coward · · Score: 3, Funny

    First rule of Wordpress: never use any plugins or themes
    Second rule of Wordpress: never use stock wordpress without additional plugins to fix security

    Make sure to follow both rules at all times or don't use Wordpress at all.

  7. Re:plugin has been suppressed from the wordpress s by thegarbz · · Score: 1

    I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

    There is typically a delay between submitting a story to Slashdot and it actually being posted. This delay can account for changing facts in a case that is unfolding as the reporting on it progresses.

    What we need is more rigour on posting updates to stories where the facts change while the story is still fresh.

  8. Re:plugin has been suppressed from the wordpress s by LittleBigScript · · Score: 1

    So, you're saying they don't need the BadPress(tm)?

  9. Re:plugin has been suppressed from the wordpress s by Sadsfae · · Score: 2

    I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

    So; wordpress reacts to bad publicity not to threats to their users. That's actually worse than if they did nothing because if they did nothing we'd hear about it all the time whereas now the questions are, "What else did Wordpress manage to close down just before it got written about on Slashdot? What else is Wordpress hiding?"

    Somewhere there are wordpress users who have installed this and either have not yet had their credentials stolen or have not yet had them used against them. Notifying their users should be the top priority. This should be front page on their site. This should be the top news on their blog. There is nothing there. Wordpress is still hiding things and letting down their users. This posting is not nearly aggressive enough.

    Wordpress.com is very different than the community wordpress.org, one is a commercial entity that offers free and paid hosted wordpress services and the latter is the upstream/open source wordpress community that offers wordpress for self-hosting.

    Neither of these entities are responsible for or have any control over 3rd party plugins like the one mentioned in the article. This would be like blaming Microsoft for someone releasing Win32 shareware that hijacked credentials.

    --
    Have a squat over at the hobo house.
  10. Re:plugin has been suppressed from the wordpress s by invictusvoyd · · Score: 1

    You mean stopped using wordpress ?

  11. Re:Chill. It's just a buggy update feature. by drinkypoo · · Score: 2, Funny

    First rule of Wordpress: never use

    Here, FTFY: Your comment could have just stopped here. You could also omit the first three words without compromising it in any relevant way.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Re:plugin has been suppressed from the wordpress s by Dunbal · · Score: 1

    Microsoft gets blamed for security holes all the time, and these are exploited by 3rd parties. Your last point makes no sense.

    --
    Seven puppies were harmed during the making of this post.
  13. Re:Truly irresponsible by Dunbal · · Score: 3, Funny

    The developer should be extradited

    Why? He didn't hack a movie studio or a music studio, nor did he hack the government. Extradited, hahahahahahahahaha oh wait you were serious...

    --
    Seven puppies were harmed during the making of this post.
  14. Re:plugin has been suppressed from the wordpress s by Sax+Russell+5449D29A · · Score: 1

    I believe somebody just rebooted the server.

    --
    -SR
  15. Re:plugin has been suppressed from the wordpress s by Megol · · Score: 1, Interesting

    Your post doesn't make sense! Observe that we aren't talking about a bug or backdoor in a MS product, just that software that uses the public API to do something. So do you really blame MS when someone downloads something that can run on a Windows machine and it happens to be malware?

    If so I hope you blame Linus whenever someone installs some malware on their Linux machine...

  16. What's the world coming to? by CanadianMacFan · · Score: 1

    Where is the pride that people use to have? At least use encryption to send the passwords back to your site! I mean, what's the point of gathering all of those passwords if you are going to send them plain text for all of the world to see. Probably sent them directly to the final site too instead of round about way that's hard to trace.

  17. Hay timmy, DA by LifesABeach · · Score: 1

    What's GD name OTF plug in?

    1. Re:Hay timmy, DA by LifesABeach · · Score: 1

      JC! I had to RTFA to find out it's called "Custom Content Type Manager (CCTM)"

    2. Re:Hay timmy, DA by drinkypoo · · Score: 1

      Amusingly, custom content types are a core Drupal feature. So here's another example of people trying to get functionality that's already in Drupal into their crappy WordPress install... and getting taken advantage of as a result.

      Yeah, nobody's perfect, Drupal had a hole in the database security layer not too long ago... but it ain't WordPress. Even if that's the best thing you can say about it, it's still inexplicable why people still choose to install WP.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  18. Re: plugin has been suppressed from the wordpress by hackwrench · · Score: 1

    I t depends. Does Microsoft make the theoretical program available through Windows Store?

  19. Re:Is WordPress... by __aaclcg7560 · · Score: 1

    And suddenly, it's like, "BEEP BEEP BEEP" and then, like, half my blog post was gone.

    You should have composed your blog post in a separate text file, copy and paste into WordPress editor, and finalized the blog post.

  20. Re:plugin has been suppressed from the wordpress s by TechyImmigrant · · Score: 1

    I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

    WP deserve all the criticism they get. Publishing a plugin architecture so open to privilege escalation should be illegal. They claim to be secure against common attacks. Yet privilege escalation via plugin doesn't count?

    From the Wordpress web site.. "Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top 10 list identified by The Open Web Application Security Project (OWASP) as common security vulnerabilities, which are discussed in this document."

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  21. Re:Is WordPress... by JustAnotherOldGuy · · Score: 1

    You should have composed your blog post in a separate text file, copy and paste into WordPress editor, and finalized the blog post.

    Whoosh!

    Enlightenment: https://www.youtube.com/watch?...

    --
    Just cruising through this digital world at 33 1/3 rpm...
  22. Re:plugin has been suppressed from the wordpress s by __aaclcg7560 · · Score: 2

    What we need is more rigour on posting updates to stories where the facts change while the story is still fresh.

    Like how The New York Times kept changing the content of an exclusive story on its website?

    http://www.poynter.org/2015/new-york-times-changes-its-hillary-clinton-story-again/360545/

  23. Re:Chill. It's just a buggy update feature. by JustAnotherOldGuy · · Score: 2

    Wordpress can be made pretty safe, but the default install is subject to all sorts of mischief and malicious twiddling. And the plugins are the Achilles Heel of Wordpress, no doubt about it.

    There are, however, several good plugins that can be used to harden Wordpress, most notably is one called 'Wordfence'. I don't do many WP installs but for me it's absolute must-have plugin; it has loads of options to harden the system.

    Outside of that, do all the usual stuff- move the config file, make it read-only, don't use gobs of sketchy plugins, and exercise some restraint with what you do install. The fewer the plugins, the better. Use long, ugly passwords, no 'admin' user, etc etc etc.

    There are actually quite a few things that can be done to secure Wordpress, although I'd be the first person to say that the end user shouldn't have to do those things- they should be baked in as defaults.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  24. Re:Is WordPress... by __aaclcg7560 · · Score: 1

    Whoosh!

    I'm using a PC. That's why I gave my advice. ;)

  25. The name of the plugin belongs in the summary by rcharbon · · Score: 1

    Doesn't it?

  26. Re:Is WordPress... by KGIII · · Score: 1

    I read that not once, but twice, as "I'm used to being PC." I guffawed.

    --
    "So long and thanks for all the fish."
  27. Re:plugin has been suppressed from the wordpress s by KGIII · · Score: 1

    > Publishing a plugin architecture so open to privilege escalation should be illegal.

    Really? Illegal? Really?

    --
    "So long and thanks for all the fish."
  28. Re:plugin has been suppressed from the wordpress s by Anonymous Coward · · Score: 1

    wordpress.org is hosting this plugin

  29. Re:Is WordPress... by __aaclcg7560 · · Score: 1

    I read that not once, but twice, as "I'm used to being PC." I guffawed.

    I want to be a Mac. But my insurance doesn't cover those kinds of computational operations.

  30. Re:plugin has been suppressed from the wordpress s by meadow · · Score: 1

    Only a ban on the plugin? No prosecution? He committed a serious felony against thousands of people. So the government does nothing about it? Yeah, because they only shit their pants when someone tries to hack into their systems. To hell with the public.

  31. Re:plugin has been suppressed from the wordpress s by thegarbz · · Score: 1

    Like how The New York Times kept changing the content of an exclusive story on its website?

    NO! Not at all. Not even in the slightest. I never said "change the content". I said "Posting Updates".

    I.e. if I had an edit button above I would write:
    Update 06/03/16: It seems most Slashdot posters think everything is some nefarious conspiracy.

  32. Re:plugin has been suppressed from the wordpress s by TechyImmigrant · · Score: 1

    > Publishing a plugin architecture so open to privilege escalation should be illegal.

    Really? Illegal? Really?

    Yes. When you also make claims that your software is secure.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  33. Re: plugin has been suppressed from the wordpress by Otto · · Score: 2

    Actually, as soon as we were notified of the issue, the plugin was closed and hidden on a temporary basis until we had time to evaluate the problem. Once we had done so, I personally created a new version of the plugin, without the malicious code, and pushed it to the repository in order to get the update out to the affected users. The existing committers were all removed, leaving the plugin entirely in the hands of the plugin team. The latest version is now safe and will not be otherwise until we determine the full details of what happened here.

    Full disclosure is great, but some advance notice longer than a day or so helps a lot. We will always protect our users to the best of our ability, but sometimes, we get blind sided. It happens. Nobody posts about the dozens of other times we fix things before they get exploited. Not judging, just saying.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.