Slashdot Mirror
WordPress Auto-Update Server Had Flaw Allowing Persistent Backdoors In Websites (theregister.co.uk)
mask.of.sanity quotes a report from The Register: Up to a quarter of all websites on the internet could have been breached through a since-patched vulnerability that allowed WordPress' core update server to be compromised. The since-shuttered remote code execution flaw was found in a php webhook within api.wordpress.org that allows developers to supply a hashing algorithm of their choice to verify code updates are legitimate. Matt Barry, lead developer of WordPress security outfit WordFence, found attackers could supply their own extremely weak hashing algorithm as part of that verification process, allowing a shared secret key to be brute-forced over the course of a couple of hours. The rate of guessing attempts would be small enough to fly under the radar of WordPress' security systems. Attackers that used the exploit could then send URLs to the WordPress update servers that would be accepted and pushed out to all WordPress sites. Web-watching service W3techs.com reckons those sites represent 27.1 per cent of the entire world wide web. "By compromising api.wordpress.org, an attacker could conceivably compromise more than a quarter of the websites worldwide in one stroke," Barry says. "We analyzed [WordPress] code and found a vulnerability that could allow an attacker to execute their own code on api.wordpress.org and gain access to it. Compromising this [update] server could allow an attacker to supply their own URL to download and install software to WordPress websites, automatically." Attackers could go further; once a backdoored or malicious update was pushed out, they could disable the default auto updates preventing WordPress from fixing compromised websites.
You could've just left the summary as "Wordpress".
Would've conveyed the same message.
That someone thinks hacking Wordpress is news or that 25% of the internet runs on Wordpress :|
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
OSS = our security's shit
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Set a man a fire
Set a man afire
It actually makes sense that way.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
So how would someone know if their WP site was hacked or not?
100% of computers have flaws that allow zero-day exploits to be delivered to them, if only you can find them and exploit them before they're patched.
News at 11.
Yes, it seems like a major vulnerability was patched. So fucking what? That happens all the time with computers these days, because people DON'T CARE that their systems are vulnerable as long as they gets their cat videos delivered with Metro style.
captcha: insights
I'm converting my WordPress websites to static websites, removing PHP and database from the backend. The Russian and Southeast Asian hackers can kiss my shiny text files.
I ran a low traffic WordPress blog for many years. WordPress has many great features but between insecure plugins and a constantly updating core system, it just takes too much time to administer for someone who just wants to host a simple no-fuss blog.
My advice is for anyone starting a personal blog is to either use a WordPress hosting company or just go with something like Tumblr. You don't get the flexibility, but your life will be easier.
I got so fed up that I wrote my own static site generator to run my site. It doesn't have the nice features of WordPress but it certainly won't collapse under load and I get to laugh at the script-kiddies trying to hack the non-existent php scripts.
sheep.horse - does not contain information on sheep or horses.
A vulnerability in WordPress?
I have to admit, I'm more than a little surprised to hear this would happen considering the solid history of quality and security that the program has, in addition to the fact that it's written in PHP, which I think we can all agree is as close as you can get to being unassailable by hackers. I mean PHP is the literal poster child for programming language competence and security.
I wonder if this is some of that "fake news" that I keep hearing about.
WordPress has north of 100 Million active installations on the web (100 000 000+).
Again, in words: thats more than one-hundred-million in active, running installations on the web.
The last critical exploit was about half a year ago and had infected roughly 8000 installations by the time it was patched
I don't know about you, but I'd say that's a pretty impressive security track record for a piece of software written on Crack, in PHP, by people who didn't have the slightest idea about software architecture back in 2001, mostly running on LAMP and that gets installed and run by n00bs 99.99 % of the time and is constantly exposed to the open intarweb and an onslaught of permanent attacks.
Try that with any OOAD-buzzword-compliant 'cleanroom designed' Java or Ruby thingie. Good luck.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca