Over the last three weeks, a trio of critical vulnerabilities in zeroday in WordPress plugins has exposed 160,000 Web sites to attacks allowing hackers to redirect their visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed flaws before patches were available played a key role in the debacle, although delays by plug-in developers and site administrators in the release and installation of patches have also contributed.
Last week, zeroday's vulnerabilities in the Yuzo Related Posts WordPress Custom Theme Wordizer plug-ins and the yellow pencil, used by 60,000 and 30,000 websites respectively, were attacked. Both plugins were removed from the WordPress plugins repository at about the time of publication of zeroday publications, leaving websites with little choice but to remove plugins. On Friday, Yellow Pencil issued a fix three days after the disclosure of the vulnerability. On the date this message was reported, Yuzo Related Posts remained unmatched.
The exploits in the wild against Social Warfare, a plugin used by 70,000 sites, began three weeks ago. The developers of this plugin quickly fixed the flaw, but not before hacking sites that used it.
Scams and graft online
The three waves of exploits have pushed sites using vulnerable plugins to surreptitiously redirect visitors to sites pushing for tech support scams and other forms of online transplants. In all three cases, the exploits occurred after the publication by a site called Plugin Vulnerabilities detailed information on the underlying vulnerabilities. The publications included enough proof-of-concept exploitation code and other technical details to make piracy of vulnerable sites easy. Indeed, some of the code used in the attacks appeared to have been copied and pasted from Plugin Vulnerabilities' posts.
A few hours after plug-in vulnerabilities published the Yellow Pencil visual theme and social disclosures in Warfare, zeroday's vulnerabilities have been actively exploited. It took 11 days after Vulnerabilities of the plug-in abandoned the Zeroday of Yuzo Related Posts for wild exploits to be reported. No exploitation of these vulnerabilities was reported before the disclosures.
The three Plugin Vulnerabilities articles published on zeroday contained a general language that indicated that the unnamed author was publishing them to protest "moderators of the still inappropriate behavior of the WordPress Support Forum." The author told Ars that he had tried to warn developers that after the zerodays have already been published.
"Our current disclosure policy is to disclose all vulnerabilities and then inform the developer through the WordPress Support Forum, although moderators often look for them simply to delete these messages and inform no one," writes the editor. Author in an e-mail. .
According to a Warfare Plugins blog post published Thursday by the developer of Social Warfare, here is the calendar of March 21, when Plugin Vulnerabilities abandoned the zeroday for this plugin:
2:30 p.m. (about) – An unnamed individual has released the exploit that hackers could take advantage of. We do not know the exact time of the publication because the person has hidden the time of publication. Attacks on unsuspecting websites start almost immediately.
2:59 p.m. – WordPress discovers the release of the vulnerability, removes Social Warfare from the WordPress.org repository and sends an email to our team about the problem.
3:07 p.m. – In a responsible and respectable way, WordFence publishes its discovery of the publication and its vulnerability, without giving details on how to take advantage of the exploit.
3:43 p.m. – Each member of the Warfare plug-in team is briefed, receives tactical instructions, and begins to take action on the situation in each area: development, communications and customer support.
4:21 p.m. – A notice saying that we are aware of the exploit, as well as instructions to disable the plugin until it is corrected, has been posted on Twitter as well as on our website.
5:37 p.m. – The Warfare Plugins development team emits the final code to fix the vulnerability and cancel any injection of malicious script that leads to site redirection. Internal tests begin.
5:58 p.m. – After rigorous internal testing and sending a corrected version to WordPress for review, the new version of Social Warfare (3.5.3) is released.
6:04 p.m. – Email to all Social War – Pro Customers receive details about the vulnerability and instructions on immediate updating.
The author stated that he had cleaned up the security of Yuzo Related Posts and Yellow Pencil after finding that they had been removed without explanation from the WordPress plug-in repository and that they had become suspicious. "So even though our messages could have led to exploitation, [sic] possible that a parallel process is going on, "wrote the author.
The author also pointed out that 11 days elapsed between the publication of Yuzo Related Posts zeroday and the first known cases of exploitation. These exploits would not have been possible if the developer had corrected the vulnerability during this interval, the author said.
When asked if there was any remorse for the innocent end-users and the owners of websites that were hurt by the exploits, the author stated, "We have no knowledge directly from what the pirates do, but it seems likely that our revelations could have led to exploitation. attempts. These full disclosures would have ceased long ago if the moderation of the support forum was simply cleaned up, so any damage caused by these could have been avoided if he had simply agreed to clean it up. "
The author declined to give a name or identify the vulnerabilities of the plugins, other than to say that it was a service provider that finds vulnerabilities in WordPress plugins. "We try to stay ahead of the hackers because our customers are paying us to warn them of the vulnerabilities of the plugins they use and it is obviously best to warn them before they happen." can be exploited instead of. "
Vulnerabilities of Whois plugins?
The Vulnerabilities Plugin Web site has a copyright footer on each page listing White Fir Designs, LLC. Whois records for pluginvulnerabilities.com and whitefirdesign.com also indicate the owner as White White Designs of Greenwood Village, Colorado. A research in the state of Colorado in the corporate database shows that White Fir Designs was incorporated in 2006 by a John Michael Grillot. In 2014, the Office of the Secretary of State changed the legal status of White Fir Design, which was "in good order" to "offender", because of its "failure to file a periodic report".
The main work of the author with moderators of the WordPress Support Forum, according to topics such as this, is that they delete his messages and accounts when he reveals unresolved vulnerabilities in forums public. A recent article on Medium stated that he was "banned for life," but had vowed to continue the practice indefinitely using invented accounts. Articles like this show that the public outrage of Plugin Vulnerabilities on WordPress support forums has been getting ready since at least 2016.
Certainly, there are many reproaches to make on the recent exploits. WordPress plugins submitted by volunteers have long been the biggest security risk for sites running WordPress. To date, open-source CMS developers have not found a way to improve the quality sufficiently. In addition, plug-in developers often take a long time to fix critical vulnerabilities and site administrators to install them. The Warfare Plugins blog offers one of the best excuses for his role in not uncovering the critical flaw before exploitation.
But most of the blame comes from a self-described security provider who readily admits to dropping zerodays as a form of protest or, alternatively, as a way of protecting customers (as if an exploit code were needed to do it). Without excuses or remorse from the whistleblower – not to mention a vertiginous number of poorly audited and poorly audited plugins in the WordPress repository – it would not be surprising to see more revelations from zeroday in the coming days.