Forgot your password?
typodupeerror
Security IT

WordPress.org Hacked, Plugin Repository Compromised 110

Posted by CmdrTaco
from the ok-that's-kinda-scary dept.
An anonymous reader writes "Back in April hackers gained access to the WordPress.com servers and exposed passwords/API keys for Twitter and Facebook accounts. Now, hackers gained access to Wordpress.org and the plugin repository. Malicious code was found in several commits including popular plugins such as AddThis, WPtouch, or W3 Total Cache. Matt Mullenweg decided to force-reset all passwords on WordPress.org. This is a great reminder for all users not use the same password for two different services."
This discussion has been archived. No new comments can be posted.

WordPress.org Hacked, Plugin Repository Compromised

Comments Filter:
  • and a great reminder as well.
    • 5/2=2
      1 is the remainder.

      Idiocracy here we come!

      • Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

        • Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

          But the typos are a subtraction.

        • by Tetsujin (103070)

          Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

          Please excuse my dear aunt Sally. She's very pedantic about these sorts of issues.

  • ... that Wordpress will now stop replacing quotes and doublequotes in users' contributions with bird droppings?

    If so, yay!

  • by wjousts (1529427) on Wednesday June 22, 2011 @09:26AM (#36527268)

    It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

    Gonna be a tough year for IT security "professionals".

    • by SatanClauz (741416) on Wednesday June 22, 2011 @09:32AM (#36527348)
      Tough year? How about the year people finally realize security "professionals" are actually NEEDED!
      • by wjousts (1529427)
        That was kinda my point. It's going to be the year when the "professionals" get separated from the Professionals.
        • Ah, yes. Good point! You mean the custodian's brother that knows how to turn on windows firewall shouldn't be doing my security? =cO
      • by S.O.B. (136083)

        I think it's more basic than that, business units in big corps need to realize that they have to stop squeezing IT budgets. I've personally had to to fight for security and stability fixes/patches because if they can't see it then they won't pay for it. Of course there's always plenty of money for a new feature or a new pretty graphic.

        They have security professionals but any actions they recommend that actually cost money are ignored or deferred until they have an actual problem.

      • by Jawnn (445279)

        Tough year? How about the year people finally realize security "professionals" are actually NEEDED!

        Word. Maybe, just maybe, some suits will decide that, "Gee. Maybe we should spend some serious money on security..."
        You know, like actually real actual security professionals and buy basic tools that would prevent many of hacks we've read about.
        [pauses...] Naaaahh.

        • by Lumpy (12016)

          They hire minimum wage lackeys for the physical security... what makes you think they will hire someone skilled for the IT security?

      • by CastrTroy (595695)
        The problem is that there is no proper definition of "professionals" as far as computer security is concerned. Professional usually means somebody that is licensed by a state overseen organization to work in a specific field. This includes medical doctors, lawyers, engineers (some countries), and accountants among others. I don't believe that there exists any similar oversight for licensing of computer network security personnel. There are a lot of certifications put out by the likes of Cisco, Oracle, M
      • by MrNemesis (587188)

        people finally realize security "professionals" are actually NEEDED!

        Or, if you know some of the people I've worked with, it'll be more a "as soon as the authorities have caught up with these LulzSec people, there won't be any more haXx0ring vectors, so what's the point in patching the servers? It's not like WE'D be a target anyway!". IME most companies won't give a shit about easily enforced and executed pre-emptive security until there's a thousand trojans running around the network and the entire company

    • by Anonymous Coward

      Tough? Lucrative is more the word I would use.Imagine all those CTO's messing themselves that they could be next, willing to pay over the odds to get a quick fix in.

      Make hay while the sun shines!

    • by wiredog (43288)

      That's been every year since, oh, sometime in the last quarter of the last century.

    • by ygbsm (158794)

      You mean year of the criminal scum bag, right? Its time our community quit treating some of these guys like heros and freedom fighters - they're vandals, crooks, and theives, and need to be treated as such. There are no "grey hats" - you're either a white hat or a black hat, and you can't be both.

      • by Hatta (162192)

        They're *all* grey hats.

      • by ArhcAngel (247594)
        That sounds eerily similar to what the king of England said a little over 200 years ago when tea [boston-tea-party.org] was dumped [wikipedia.org] in a harbor [eyewitnesstohistory.com] by some "criminals" [socialstudiesforkids.com].
      • by billcopc (196330)

        Don't delude yourself. Without these high-profile vandals, we'd all be running around with "1-2-3-4-5" as our password, ripe for the real bad guys to plunder. At least these pranksters are raising awareness while causing relatively small damage.

        I'm still amazed at the frequency of these high-profile breaches, mostly because developers and business owners should know better by now, but that's largely because I easily forget the fact that most people are terminally stupid. I distinctly recall one morning w

      • by wjousts (1529427)
        Yes. I don't consider them heroes either. At best they are an angry mob, and mob rule isn't a desirable thing either.
    • by X.25 (255792) on Wednesday June 22, 2011 @11:13AM (#36528760)

      It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

      Gonna be a tough year for IT security "professionals".

      Professionals left that world and went onto other things when suits concluded that security products are enough.

      So now, it'll be hackers vs security products and trained monkeys. Fun all around.

    • by sqldr (838964)
      I can't wait for this year's version of this:

      http://pwnies.com/
      We all had a good laugh at microsoft's CSS "protection" code, but compared to this year, microsoft are starting to look quite good..
  • Perhaps someone is just sniffing their email They send all the password plain text! WTF mate?
  • by Anonymous Coward

    Is it too difficult to, instead of storing the actual passwords, store a hash and during authorization just compare the hashes?

  • A great reminder? (Score:5, Insightful)

    by iateyourcookies (1522473) on Wednesday June 22, 2011 @09:32AM (#36527356)
    "This is a great remainder [sic] for all users not use the same password for two different services."

    Not it's not. Not even slightly.

    The amount of mental effort required by users to memorise a different password for every internet site is at best unreasonable, if not a completely insane idea. While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

    Blaming the user here is unreasonable.
    • It is good practice to use multiple passwords for different services.

      I do it and I have A LOT of passwords to memorize. Luckily, I wrote them down on a piece of paper and have that kept in a safe place as I do tend to forget those that I hardly visit from time to time.

      Now I know writing passwords in a text document and saving it on your PC is stupid, but writing it down on a peice of paper isn't. It's about how it's written, if you write passwords and leave it in your jewelry box or personal safe or with

      • by ccguy (1116865)

        It is good practice to use multiple passwords for different services.

        What good is that when you can reset/recover all passwords using the same email account?

        • by Grauwyler (861821)

          It is good practice to use multiple passwords for different services.

          What good is that when you can reset/recover all passwords using the same email account?

          Then you just need a unique email account for each service that you sign up for.

        • by heypete (60671)

          Google Mail, as an example, supports two-factor authentication (either with a smartphone app, a pre-printed list of one-time codes, or SMS messages to mobile phones). Enabling this feature makes it much more difficult for bad guys to compromise an account.

    • by Otto (17870)

      Use an encrypted password storage system like 1Password or LastPass. Yes, it's not perfect, but what is? Passwords that don't look like line noise are vulnerable nowadays.

      • by jank1887 (815982)

        got it. will only ever log in from a single PC/mobile device. no need to remember more than 1 password evar.

    • The user could just put the name of the website into the email. That will make it easy for someone to figure out their password scheme if they always use the same format of websitename-mypassword, but if they use it only for sites which store hashes, then it's going to be extremely unlikely that anyone will crack their passwords through pure brute force..

    • by pongo000 (97357)
      While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

      I was going to mod this up, but thought it might be a good time for my annual suggestion of using passphrases [diceware.com] instead of random sequences of characters. Much easier to remember, and a short 3-word passphrase (maybe with a random character to increase entropy) usually satisfies the moronic
    • https://www.pwdhash.com/ [pwdhash.com]

      You're welcome!

    • Totally agree. Seriously, what have we got? Facebook, Google, Twitter, Github, Slashdot, Personal Sites, Banking, OmniAuth.... If I had a different, unique, strong password for each of these services my head would explode. Obviously you wouldn't want to use the same password for banking as you would for Twitter, but grouping things into manageable chunks is a must (e.g., all-social-networks-password, banking-password, all-personal-sites-password). But don't get me started on banks' online "security" with t
      • by tlhIngan (30335)

        Also, there's also the level of importance of the site to the user.

        Some random blogger's website? My NYTimes login? Minor forums I visit? I'll just use the same damn password. Who cares if it's hacked? So someone could post as me. If that site becomes more important, then I can always change the password later.

        My online banking/paypal/ebay/amazon/windows live/google password? nice secure and different (all linked to valuable accounts and services). My twitter/blog/NYTimes/slashdot/gawker/etc password? simpl

    • by Tsar (536185)

      "This is a great remainder [sic] for all users not use the same password for two different services."

      Not [sic] it's not. Not even slightly.

      Respectfully, I beg to differ. I'm running a password manager to keep track of all my passwords, online and otherwise. I'll never go back, and neither should you.

      Except for my password to the app itself (which is absurdly long but memorized and periodically changed), all my passwords are unique, cryptographically secure random printable-character strings of the maximum length allowed by each system or 255 characters, whichever is shorter. I keep three deeply-encrypted copies stored remotely, so unless

    • While it wouldn't be a good idea to write your password on a post-it stuck to your monitor at work, it might not be a bad idea to write your personal passwords for on-line services in a notebook that you keep at home. This way you can use multiple secure passwords for your on-line services.

  • Wrong as usual (Score:5, Informative)

    by gaspyy (514539) on Wednesday June 22, 2011 @09:41AM (#36527474)

    The summary is incorrect as usual.

    Some contributors' accounts were compromised, resulting in updates containing backdoors appearing from those contributors. The blog entry mentions AddThis, WPtouch and W3 Total Cache. The WordPress.org plugin repository was not hacked.

  • ...and nothing of value was lost. (Thank you AdBlock Plus for letting me banish that piece of rollover crap.)
  • there is WAY too many hacking going on. and for some twist of fate, this just predates the pending internet censorship/control scheme vote in american senate. and, american sources are attacked. way too many 'coincidence'.

    either this is some shady operation, or there is no course called 'statistics' on this planet.
  • This is a great remainder for all users not use the same password for two different services.

    And how is this going to result in a hacked website? Breaking into a user account should not give you administrator privileges. No, this is a great reminder to secure your fucking website against SQL injection, once again. Never trust your users just because they are "logged in". Now of course if the administrator of the website was using the same login/password as his gmail account or something then yes, he should be shot.

  • I think this may explain why, when I updated AddThis on some of my sites, it caused the white screen of death instead. So far the sites look ok, but now I need to go over them in more detail.
  • by billcopc (196330) <vrillco@yahoo.com> on Wednesday June 22, 2011 @10:33AM (#36528128) Homepage

    Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back

    Three popular plugins. Yes, they're popular, I've used all three on several sites.

    THAT'S IT! That is the extent of the damage. Three plugin authors whose passwords were exposed. Nobody "gained access to [...] the plugin repository". Dear submitter, go back to kindergarten and learn to read. It's in the first two goddamned sentences.

    This place has gone to the dogs... where the hell is a guy supposed to get his tech news anymore ?

    • Three popular plugins. Yes, they're popular, I've used all three on several sites.

      THAT'S IT! That is the extent of the damage. Three plugin authors whose passwords were exposed. Nobody "gained access to [...] the plugin repository". Dear submitter, go back to kindergarten and learn to read. It's in the first two goddamned sentences.

      What? How is uploading backdoor code to the repo not gaining access?

      Wordpress users who updated their plugins because Wordpress told them to now have backdoor code on their websites. If that's not a security breach, I don't know what is.

    • by nstlgc (945418)
      So how did they get the passwords of those users in the first place? Why are you believing only those three were the only authors who's passwords were exposed?

      And why I'm at it, why so butthurt? Do you have any personal stake in this?
  • As someone that's done a lot of end-user work, it annoys me to see the level of arrogance coming from posts like this one where the idea of using multiple passwords for different services is touted as the Only Responsible Way to do anything online.

    It doesn't bother me because it's a bad idea, it bothers me because if it's so goddamned important - why haven't the companies that make our web browsers and operating systems put some fucking effort into building features for this into our infrastructure? I have

    • by horza (87255)

      See all comments above about KeePassX. It's childs play. It's not a browser plugin, it's an app you can run on any OS including mobile. It's a better solution than you are suggesting. If somebody can handle the concept of a purse or wallet, they can understand KeePassX.

      Phillip.

  • This is a great remainder for all users not use the same password for two different services.

    Not really. I divide my logins into two categories: stuff that, if it were all compromised simultaneously, would be inconvenient but otherwise no big deal; and everything else. In the "everything else" category, every password is unique. For the stuff that isn't life or lifestyle critical, I save myself some mental effort and just use the same password.

    Oh noes, they got my Slashdot account, my account on some news

  • I have read over 100 virtually useless comments on the events that transpired at Wordpress, yet not one individual, not even the nefarious "Anonymous Coward" has come forward and blamed Microsoft for this dastardly deed. This had led me to the only logical conclusion, a cold day in Hell has finally arrived.

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...