Keylogger Found On Nearly 5,500 WordPress Sites

An anonymous reader writes: Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. The malicious script is being loaded from the "cloudflare.solutions" domain, which is not affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field. The script is included on both the sites' frontends and backends, meaning it can steal both admin account credentials and credit card data from WP sites running e-commerce stores. According to site source code search engine PublicWWW, there are 5,496 sites running this keylogger. The attacker has been active since April.

Firefox 57's extension breakage enabling this?

It's well-known that Firefox 57 unnecessarily, but intentionally, broke most extensions for most users. It was released back in the middle of November, and many users upgraded to it without realizing how it would break their extensions. It doesn't help that they didn't have an easy to way downgrade to Firefox 56.

Some of the most popular extensions are those that help prevent JavaScript from being used maliciously, and these kinds of extensions were among the ones to suffer the worst breakage, due to being so intricately tied to the operation of the browser.

While there have been efforts to port some of these extensions to Firefox's new WebExtensions model, in some cases it has proven to be impossible to replicate the existing functionality because WebExtensions is so, for a lack of a better word, crippled.

So I'm now wondering how many Firefox users are now browsing without any kind of protection from malicious JavaScript code. I'm thinking it could be a far higher number than we might expect.

As an experienced Firefox user and a long time programmer, I found it awkward enough to find alternative extensions that would work with Firefox 57 and at least partially replicate the locked-down experience I easily got with Firefox 56 and earlier. I'm sure that less-experienced or less-knowledgeable users would find it far more difficult, and some of them probably wouldn't even realize that they have no real protection at all any longer.

Although I hope I'm wrong, I fear that Firefox 57 and its breaking of JavaScript-limiting extensions may have allowed attacks like these to become far easier and simpler to implement, and the breaking of extensions in Firefox 57 may have left a lot of unsuspecting people vulnerable to attacks they think they're protected from, not realizing that their protective browser extensions are no longer working.