Popular WordPress Plugin WPML Hacked By Angry Former Employee (zdnet.com)

← Back to Stories (view on slashdot.org)

Popular WordPress Plugin WPML Hacked By Angry Former Employee (zdnet.com)

Posted by msmash on Sunday January 20, 2019 @08:10AM from the security-woes dept.

A very popular WordPress plugin was hacked over the weekend after a hacker defaced its website and sent a mass message to all its customers revealing the existence of supposed unpatched security holes. From a report: In a follow-up mass email, the plugin's developers blamed the hack on a former employee, who also defaced their website. The plugin in question is WPML (or WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages. According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn't need to advertise itself with a free version on the official WordPress.org plugins repository. But on Saturday, ET timezone, the plugin faced its first major security incident since its launch in 2007. The attacker, which the WPML team claims is a former employee, sent out a mass email to all the plugin's customers.

37 comments

Min score:

Reason:

Sort:

Security by Anonymous Coward · 2019-01-20 10:05 · Score: 0, Insightful

If your security is so shitty that a *former* employee can deface your website, you basically don't have any security...
1. Re:Security by Narcocide · 2019-01-20 10:25 · Score: 2
  
  No, this is what happens after you lay them off because you thought they weren't doing anything.
2. Re:Security by Anonymous Coward · 2019-01-20 10:38 · Score: 0
  
  no this is what happens after you lay off the lazy shits that knew of the hole and had no idea cause you hired with affirmative action
3. Re:Security by Desler · 2019-01-20 10:40 · Score: 4, Informative
  
  It's also a joke that in 2019 that WordPress has no notion of sandboxing plugins so that any security holes they do have could be reasonably contained. Why do they still allow plugins to be huge gaping security holes?
4. Re:Security by Anonymous Coward · 2019-01-20 14:27 · Score: 0, Insightful
  
  Because PHP is still a fractal of bad design.
5. Re:Security by Anonymous Coward · 2019-01-20 17:43 · Score: 0
  
  You can bitch all you want about an insanely popular scripting language, it doesn't change the fact that people build amazing quality working applications with it, and a *lot* of them. Real devs ship. Fake devs spend their time bitching about toolsets.
  The fun thing with Wordpress is that it auto-updates. It looks like in this instance the plugin itself wasn't hacked, just the website they use to manage it, however in the case that Wordpress gets hacked, within hours a large chunk of the world's websites will be pwned.
6. Re:Security by Anonymous Coward · 2019-01-20 20:20 · Score: 0
  
  who the fuck needs qa engineers?
  microsoft doesn't have any. the home user is the test pool.
7. Re:Security by sproketboy · 2019-01-21 01:57 · Score: 1
  
  A better question is why does garbage like WordPress still exist.
8. Re:Security by ilsaloving · 2019-01-21 05:42 · Score: 1
  
  Wordpress is a sloppily designed CMS written in the sloppily designed language PHP.
  The entire architecture is so laughably bad that it's no surprise at all that they have to deal with security issues on an almost weekly basis. Wordpress is designed to be easy to get up and running. That's why it's popular. Security, maintenance and data workflow are all afterthoughts that need to be shoehorned in.
  This situation is completely unavoidable. There is no facility in the language for supporting something as sophisticated as sandboxing. Furthermore, WPML is a deeply embedded plugin that is effectively one layer directly above the actual content. Even if sandboxing were possible, WPML would be very difficult to sandbox because of how deeply it sticks its fingers.
They didn't change passwords when he/she left? by Anonymous Coward · 2019-01-20 10:10 · Score: 0

The first thing that happens when an employee leaves (particularly someone who has access to files) is to CHANGE ALL THE PASSWORDS! DUH!
1. Re:They didn't change passwords when he/she left? by Anonymous Coward · 2019-01-20 10:25 · Score: 0
  
  You see, that's your first mistake.
  Having multiple passwords. Difficult to remember them all.
  Unless you name you passwords like Rimuru names the Orcs, you'll have no change of remembering them.
  So you write them down. Now, you can remember them but it's a security issue. But you can remember the
  passwords. Where's the balance?
  Answer :: Use a single password for everything. Easy to remember and secure since you don't write it down anywhere.
  Easy-peasy.
  You're welcome ...
  CAP === 'inexact'
2. Re: They didn't change passwords when he/she left? by Anonymous Coward · 2019-01-20 13:01 · Score: 0
  
  Oh fuck where do you kids get this shit? No!
  You use MFA keyed back to a central system like Okta or AD or an RSA device or any number of things. When they leave you check the Disable User box and they are out.
3. Re:They didn't change passwords when he/she left? by mattyj · 2019-01-20 20:59 · Score: 1
  
  Yeah, I would hardly categorize this as a 'hack', and more like a company that knows nothing about how to handle terminations. The headline should read:
  "Popular WordPress plugin WPML fails to properly off-board former employee, website defaced"
Wordpress got hacked???? by Anonymous Coward · 2019-01-20 10:26 · Score: 0

What year is it, 2002, 2003, 2004... 3019? Every year this happens
1. Re: Wordpress got hacked???? by Anonymous Coward · 2019-01-20 12:57 · Score: 0
  
  I thought that it will end with n+1. I'm brainwashed.
2. Re:Wordpress got hacked???? by Anonymous Coward · 2019-01-21 03:29 · Score: 0
  
  They are just trying to catch up with Adobe...
Re: The daily show is your news source? Oh my god by Anonymous Coward · 2019-01-20 11:38 · Score: 1

Do you have an actual rebuttal to the fact checking?
You got smoked by your own lies, deal with it fag. by Anonymous Coward · 2019-01-20 11:54 · Score: 0

The comedy show referenced the fake Fox News verbatim, it was fact checked and proven valid. When a comedy show OWNS FACTUALLY your "news" operation? YOU GOT SMOKED BY YOUR OWN LIES, MORON.
Deal with it snowflake.
Re: The daily show is your news source? Oh my god by Anonymous Coward · 2019-01-20 12:09 · Score: 0

Cool Fact: The Daily Show was originally a parody of network news. Being a show on the "Comedy Central" channel should be a give-away.
All the kids started watching it instead of "real" news and then it then evolved into an ultra-left hate-spouting alternate-news program.
Re: The daily show is your news source? Oh my god by Anonymous Coward · 2019-01-20 12:14 · Score: 0, Informative

If you hate being factually challenged and proven a liar constantly, one easy solution is to stop lying faggot Republicans. It's so simple even a GOP caveman can do it - or can you? I thought you could... maybe?
Let's see if you can go 3 minutes without lying, then we'll double it. If you Trumptards make it one full day without a single lie, you may even graduate back to society. But let's not get ahead of ourselves.
You are backing a traitor right now, that can't be easily repaired. He's literally Putin's dick cozy. Literally, Trump keeps Putin's cock warm for his livelihood and well-being ongoing. Mueller brings the thick rope soon though.
Rope doesn't lie, Republican traitors. Memba dat.
Enjoy your criminal record, idiot by bigmacx · 2019-01-20 12:27 · Score: 5, Insightful

Hope they get this idiot charged and release their name.
Every time one of these "inside" IT type persons does something against an employer by using their privileged access to their systems, it makes it more difficult for all of us to operate within our own companies. And don't try to fault me by the "ex-employee" logic. Any one of us knows full well we could fsck with a former employer's systems even if they think they've locked us out.
Those in our field that violate the trust placed in us by employers should be drawn and quartered, tarred and feathered. At they very least named and shamed.
1. Re:Enjoy your criminal record, idiot by Anonymous Coward · 2019-01-20 12:39 · Score: 0
  
  His name is Christopher Dale Reimer.
2. Re:Enjoy your criminal record, idiot by Anonymous Coward · 2019-01-20 12:52 · Score: 0
  
  Any one of us knows full well we could fsck with a former employer's systems even if they think they've locked us out.
  Then you've done your job poorly.
3. Re:Enjoy your criminal record, idiot by Anonymous Coward · 2019-01-20 13:54 · Score: 0
  
  Probably. Name one human being in all of history that has achieved 100% perfection in all of their endeavours?
  Dismissing reality because it's not perfect is exactly why these sorts of things happen. Holes exist, former employees know about them. That is reality.
4. Re:Enjoy your criminal record, idiot by Anonymous Coward · 2019-01-20 15:34 · Score: 0
  
  Those in our field that violate the trust placed in us by employers should be drawn and quartered, tarred and feathered. At they very least named and shamed.
  Funny. A friend of mine does independent contracting and most of his jobs involve converting WordPress to "literally anything else".
  Anyways you are being too lenient on this guy. As far as ex-employees go, some people want Snowden dead. Some people on the other hand know what word "every" means by the time they get a degree in Computer Science. Are you so sure this guy didn't do you a favor for the wrong reasons?
5. Re:Enjoy your criminal record, idiot by Anonymous Coward · 2019-01-20 15:45 · Score: 1
  
  Or, you know, employers could treat their employees well and build loyalty. Crazy, I know.
6. Re:Enjoy your criminal record, idiot by Anonymous Coward · 2019-01-20 21:13 · Score: 0
  
  I agree completely, but I think tarring and feathering should be done before being drawn and quartered.
7. Re:Enjoy your criminal record, idiot by Errol+backfiring · 2019-01-20 23:01 · Score: 1
  
  Please think of the horses. They shouldn't get tar and feathers on their skin.
  
  --
  Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
8. Re:Enjoy your criminal record, idiot by Anonymous Coward · 2019-01-20 23:04 · Score: 0
  
  Funny. A friend of mine does independent contracting and most of his jobs involve converting WordPress to "literally anything else".
  Funny! My job involves turning "literally anything" into a wordpress site! Maybe we could team up?
9. Re:Enjoy your criminal record, idiot by Anonymous Coward · 2019-01-21 03:41 · Score: 0
  
  No, the employee has limited responsibility in this case, even if an ex. Any employer that has holes that can be used by an ex-employee is already fscking their clients by relying on security through obscurity.
10. Re:Enjoy your criminal record, idiot by ilsaloving · 2019-01-21 05:30 · Score: 2
  
  Or, you know, employers could treat their employees well and build loyalty. Crazy, I know.
  Why are you assuming they didn't? Some people are just assholes. If someone is willing to pull a stunt like this, I'm inclined to believe that they weren't a particularly good admin to begin with.
I'd like to see his proof reviewed by experts ... by Qbertino · 2019-01-20 13:40 · Score: 1

... and then, if he's proven to be resonably right with his accusations, be let of the hook. It should be very easy to check the WPML codebase and the security holes he speaks of. And if they exist in the ways he says and are easyly exploited as he says I'd be willing to believe him more than I would believe the WPML team.
When it comes to WP Plugins WPML is one of the better ones but I've seen so much shit in the WP world that it wouldn't surprise me if WPML were borked in some amateurish manner as the man accuses them to be.
My 2 cents.

--
We suffer more in our imagination than in reality. - Seneca
Yes, but where's the clickbait? by Anonymous Coward · 2019-01-20 17:13 · Score: 0

Gotta claim HAXX0RIN and HAX or people won't CLICK because that's the law of INTERTUBES CLICKBAIT.
Or maybe it's just idiot editors picking idiot stories to share.