WordPress Auto-Update Server Had Flaw Allowing Persistent Backdoors In Websites

mask.of.sanity quotes a report from The Register: Up to a quarter of all websites on the internet could have been breached through a since-patched vulnerability that allowed WordPress' core update server to be compromised. The since-shuttered remote code execution flaw was found in a php webhook within api.wordpress.org that allows developers to supply a hashing algorithm of their choice to verify code updates are legitimate. Matt Barry, lead developer of WordPress security outfit WordFence, found attackers could supply their own extremely weak hashing algorithm as part of that verification process, allowing a shared secret key to be brute-forced over the course of a couple of hours. The rate of guessing attempts would be small enough to fly under the radar of WordPress' security systems. Attackers that used the exploit could then send URLs to the WordPress update servers that would be accepted and pushed out to all WordPress sites. Web-watching service W3techs.com reckons those sites represent 27.1 per cent of the entire world wide web. "By compromising api.wordpress.org, an attacker could conceivably compromise more than a quarter of the websites worldwide in one stroke," Barry says. "We analyzed [WordPress] code and found a vulnerability that could allow an attacker to execute their own code on api.wordpress.org and gain access to it. Compromising this [update] server could allow an attacker to supply their own URL to download and install software to WordPress websites, automatically." Attackers could go further; once a backdoored or malicious update was pushed out, they could disable the default auto updates preventing WordPress from fixing compromised websites.

To put things in perspective ...

[Qbertino]

WordPress has north of 100 Million active installations on the web (100 000 000+).
Again, in words: thats more than one-hundred-million in active, running installations on the web.
The last critical exploit was about half a year ago and had infected roughly 8000 installations by the time it was patched

I don't know about you, but I'd say that's a pretty impressive security track record for a piece of software written on Crack, in PHP, by people who didn't have the slightest idea about software architecture back in 2001, mostly running on LAMP and that gets installed and run by n00bs 99.99 % of the time and is constantly exposed to the open intarweb and an onslaught of permanent attacks.

Try that with any OOAD-buzzword-compliant 'cleanroom designed' Java or Ruby thingie. Good luck.

My 2 cents.