Slashdot Mirror
Keylogger Found On Nearly 5,500 WordPress Sites (bleepingcomputer.com)
An anonymous reader writes: Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. The malicious script is being loaded from the "cloudflare.solutions" domain, which is not affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field. The script is included on both the sites' frontends and backends, meaning it can steal both admin account credentials and credit card data from WP sites running e-commerce stores. According to site source code search engine PublicWWW, there are 5,496 sites running this keylogger. The attacker has been active since April.
Noxious flatulent gas clouds are flammable and prone to flare up. Avoid that risk by banning cloudflare from your world.
They don't say if it's WordPress itself or in a popular plug-in.
#DeleteFacebook
The extension thing was made known for over a year before FF57's release. Plenty of time for users and extension authors to get up to speed.
My bassoon reed is NOT a phallus.
How long have you been an A.C. crapflooder?
Client-side Malbolge. Try writing a cryptominer with *that*!
My first program:
Hell Segmentation fault
About 25 years, but what does this have to do with...
Wait... you're trying to come on to me? Hey, I'm no guy for just one night! I at least want dinner first.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We need to switch to cryptographic authentication. FIDO U2F makes a lot of this moot.
With some software put in place at the CRAs, they could use FIDO devices to prevent opening new accounts. If you go into a bank with ID (Driver's ID, passport) and a FIDO device, the bank has done the best identification of you it can. Plug the key into a USB port in a computer, have the bank authorize trust establishment, and you generate 3 new key pairs--one for each CRA. The CRAs get the public key; the private key stays on your FIDO device. If it gets lost or stolen, call your bank, voice-verify, and they can cancel the trusts: your credit cards still work, but you can't open any new credit accounts until you physically enter a bank.
Credit cards? Your computer should have an EVM reader. Google accepts FIDO U2F authentication; Google Wallet (or Verified by Visa) could readily authenticate you before accepting a transaction, providing EVM--cryptographic credit card transacting.
Social Security? Walk into a DMV, Social Security building, or other Government building. They all federate trust. Generate a pile of new keys for all the Government service providers.
The weakest link is really any Internet provider to whom you authenticate, since you'll need a method of recovery. Anyone handling credit card transactions should use the CRAs as a secondary: if you can authorize a credit check, you're probably you.
You can lose personally identifiable information, but you can't lose authentication--not for any broad window, and not over the Internet.
Support my political activism on Patreon.
JavaScript is an old language, developed back when the web was a much safer place
...back before JavaScript?
The websites involved are irrelevant. The software they're running is irrelevant.
The real problem here is JavaScript, and more specifically, how JavaScript has pretty much no legitimate uses but a huge number of illegitimate, unwanted uses.
JavaScript adds nothing beneficial to the web. Some people will claim that JavaScript + AJAX can allow for a better user experience, but that's nonsense.
Just look at a site like Slashdot. The more that JavaScript has been used here, the worse the user experience has gotten! In the past it used to be easy to view all comments at -1. There were just a couple of dropdown menus for setting the threshold, and things just worked flawlessly. Now there's this goddamn JavaScript slider junk that often doesn't work, and even when it does work it's still several times slower than it was when using dropdown menus!
We shouldn't be distracted with irrelevant stuff like WordPress. We need to focus on the real problem: JavaScript.
The solution is clear: JavaScript needs to go.
I don't see how that could possibly be the issue.
Both NoScript 10+ and YesScript2 support Firefox 57+. If the users don't update their plugins after updating the browser, that's not really Mozilla's fault.
The old NPAPI support needed to die---for security reasons. Your attempt to cast a security improvement as a problem is ill-founded, and, quite frankly, idiotic.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Noscript 10 is pretty terrible though. At this point it looks and feels like an Alpha release.
How's YesScript? Any better?
Some of the most popular extensions are those that help prevent JavaScript from being used maliciously, and these kinds of extensions were among the ones to suffer the worst breakage, due to being so intricately tied to the operation of the browser.
Regarding ads:
uBlock Origin - was WebExtension compatible in advance, well before the release of FF57 (I use that one)
uBlock - was WebExtension compatible in advance, well before the release of FF57
AdBlock Plus - was WebExtension compatible in advance, well before the release of FF57
Regarding trackers:
FSF's Prvacy Badger - was WebExtension compatible in advance, well before the release of FF57 (I use that one)
Regarding script blocking :
uMatrix - was WebExtension compatible in advance, well before the release of FF57
NoScript - well Giogio Maone was a tiny bit in a hurry, but slill manage to make it compatible within a couple of days after the release of FF57. Still kudos to him for having managed it. (I use that one)
etc.
Well what was you point ?
Yup, maybe that weird specific no widely known extension that 3 other people beside you use, and whose authors have abandoned for the last 10 year, maybe that extension broke for you in FF57.
Meanwhile, all the major security extension were transitioned more or less on time. Partly on the grounds of Mozilla crew members closely collaborating with extension authors, to make sure that their WebExtensions interface provides all the necessary API to make the functionality possible.
So I would suggest that you stop bitching about the change of API by spitting the same copy-pasta whining on each remotely relevant /. news story, and instead spend your time and effort switching to extensions with a tiny bit more active developers and a little bit more active community than whatever rare precious gem you were using up until now.
While there have been efforts to port some of these extensions to Firefox's new WebExtensions model, in some cases it has proven to be impossible to replicate the existing functionality because WebExtensions is so, for a lack of a better word, crippled.
Which is why Mozilla devs have actively reached out to authors of popular XUL extensions to see how they could make them still work once transitioning to the WebExtensions API.
All the major security extensions worth mentioning have more or less finished transitioning, despite some of them not working on the Google's Chrome spin of WebExtensions.
So I'm now wondering how many Firefox users are now browsing without any kind of protection from malicious JavaScript code. I'm thinking it could be a far higher number than we might expect
I'm thinking it's only the stupider ones among them like you, who can't even put some though into the selection of security tools they'll use.
Next time, pick an extension with an author that is still alive and a number of users which exceeds your direct family.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Random users :
"OOH MY GOD !!! NO !!!! ALL MY PRECIOUS PASSWORDS!!!!"
Users of password managers :
"Phew !... at least they didn't log these".
Users of NoScript (and other such popular script blocking extensions) :
"...yeah... whatever...."
---
Bonus:
Users of links/elinks/lynx, curl/wget and straight telnet :
"Bwaaah.... we're left out of the fun once again!..."
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Because they can use it to scam people out of $250 for 20 minutes work setting up a "website".
No sig today...
See subject & I'll add to what he said or missed - Javascript's misused like mad, slows you, runs on your dime clientside taking up power/cpu/ram & other forms of I/O + it slows you way, Way, WAY down! CGI bins/WinCGI run server side (so did ISAPI/NSAPI iirc but were often leaky due to being written in C as well as buffer overflow vulnerable thus - that could be changed by writing them in C++ instead, easily) NOT using YOUR POWER BILL or cpu cycles/ram & other I/O either.
Nobody has to note that Javascript's also HUGELY MISUSED in malware & trackers etc. too!
APK
P.S.=> Javascript has 1 decent use (but could be easily replaced by server-side processing methods noted above) in accessing database material (e.g. bankaccount, shopping, online tests etc.) but again, could be replaced by what I noted above that was around BEFORE script in documents online (dumb, they didn't even learn from Office program macros on that note - you open the door, trash comes blowing in)... apk
This is why my Wordpress site runs Wordfence and uses Google Authenticator. At least I have 2FA and everything thrown at it gets run through an analysis engine to detect known exploits (and attack patterns) before it gets passed onto Wordpress. Updating the plug-ins and theme also helps. It also runs inside a Docker container, without write access to the Wordpress core (just plug-ins, themes, and uploads).
It's nice software, but you need a security product dedicated to protecting that one piece of software if you're going to use it. Plus running as a Congressional candidate with an IT security background and getting hacked would be embarrassing.
Support my political activism on Patreon.
I wrote you the source code for a Linux port weeks ago and you still didn't do it? Also.. how would this even block a script running from the same domain, a la this paticular exploit?
Nobody said that except you asshole.
It's well-known that Firefox 57 unnecessarily, but intentionally, broke most extensions for most users.
Have you tried to access cloudflare.solutions? I have and can't. Google shows this a problem since 2011, I got nothing.
cloudflare.solutions isn't being blocked by me.
Being concerned when Mozilla breaks security extensions isn't 'bitching'.
Which security extensions got broken ?
Most of the major ones got ported to WebExtension API well in advance.
The ones that were not ready on D-day, managed to get ready over the few days after the big switch.
Really in practice, I haven't anyone I know bitten by missing security extensions.
If you're complaining that your specific security extension got broken, means :
- you're using a very rare one. at least it means the biggest part of firefox users (those who use the most common security extensions) aren't affected. Only the few eccentric people with unusual choices of extensions are affected and they a re much smaller fraction of the user base.
- you're using a very rare extension, which is used by an extremely small number of other users. That might be a little bit problematic regarding security because it means less opportunity to discover and fix bugs in the extension.
(Though some might argue that you could also be protected by the relative obscurity of your extension. There might be obvious ways to circumvent the security, but because there are only 5 users of this extension, nobody bothers to check).
- the author of the extension hasn't bothered to upgrade youre extension for over a year. That by it self is a major security problem. It also means that, even if you keep the latest ESR version of Firefox instead of upgrading, your extension hasn't been fixed against any problem that might have been discovered over the past year.
It's disturbing that you, and apparently Mozilla, take such a carefree attitude about the security of FF's users.
Mozilla hasn't been taking a carefree attitude. They have been actively collaborating with the developers of extensions, including lots of security extensions, including the most popular extensions, just to make sure that WebExtension API provides everything needed to make the old XUL extensions portable to the new API.
I don't have a carefree attitude about security neither.
That's why I have been following the evolution closely as soon as there was announcement about future deprecation of XUL extension (in fact even earlier : I've been following since the release of Electrolysis and other such stability/security features - because even back before announcement of API deprecation, some of these extra features did rely on all installed extensions only using the Webextension API).
I've been checking the development of the extensions I use, and observed that lots of them were available rather fast with the new API. Even more so among security extensions, they were probably the fastest to react and port their code (or in the case of NoScript's guy : start to collaborate with Mozilla to see how the API could be adapted to their need).
All extensions that worked with FF 56 should have worked with FF 57. There's no excuse for them not to have worked.
I think that "this extensions was written 10 years ago and since then we're not even sure if the dev is still alive" might be a good excuse, specially for a security extension (you know, those things are supposed to be kept up to date and adapted as new security threats arrive).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I'm going to go ahead and stick my head in a bear trap, but why does Mozilla rely so much on outside programmers to make the thing even borderline secure? I understand the reasoning not to include ad blockers, but some of the other commonly used extensions should just be baked in. Or am I really just too paranoid?
In a way you are paranoid, in that unlike most of the typical users you value your security much more than ease of use.
Most of the user don't have any idea about security. On the other hand, most of the users want to just watch their Netflix movie, post their shit on Facebook, etc. they want all the typical online activity to work straight out of the box.
Saddly, the current accepted standard behavious of *ALL* browser, is to download and execute any bullshit linked in a web page, no question asked
(though there are very tiny baby steps being made, like the "allow origin" HTTP(S) directive to restrict some APIs accross different webservers).
That's how chromium works, that's how microsoft edge work.
Web designers thus design the pages you visit taking that into account (just look at all the the external scripts downloaded by most of the webpages. Any random simple thing that you visit, like a webshop to order something online, downloads and executes javascript libraries from at least a dozen of different 3rd parties, some of which are absolutely critical for even the basic functionnality of the webshop to work. Not everything from 3rd party is something nefarious like a tracker).
So if suddenly firefox were to by default block all non-whitelisted scripts, or block all script no originating from the same domain, most of the users will be seeing their usual web sites not working.
They will not be appreciating the sudden new added security to Firefox compared to everything else, they would be mostly noticing that most of "their web" is broken compared to any other browser.
You'd see backlash against non functioning stuff out-of-the-box.
You'd see users complaining that they need to whitelist and fine tune tons of stuff just to get facebook working.
You'd see less advanced users complaining that they don't even understand what a "whitelist" is, and why the hell does the netflix pages stays entirely black ?
So that's the current situation, current normal usage patterns (leading to current design techniques) lead to a situation which makes it hard any increase of security without fundamentally breaking the online experience.
So, therefore, good Javascript blockers needs currently to be only offered as extensions for power users who know what they do, and are not affraid to do some tweaking to get the website to work back again.
Note: all the above only applies to the standard Firefox package as installed from the website.
Special package targetting specific user base differ :
the Firefox browser packaged as part of the Tor browser bundle has quite a few security extensions installed and enabled by default.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Dear "hosts" APK troll.
Nope, your hosts doesn't work in the case of malicious javascript code.
You can't block just scripts, while still letting the plain HTML webpages.
A "hosts" entry can only block access to a whole domain.
Also it depends on the "hosts" list containing the new threat (it's fundamentally a black-listing approach. If a threat isn't known, a hosts list cannot prevent it).
Systems like NoScripts are White-Listing. They block by default unless told otherwise. I could never be affected by malicious javascript code running on "http://cloudflare.solutions/" even before I hard about it, because it's not among my whitelists.
Also you bullshit only runs on Windows, and there's no source available for review. Not interested.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]