Popular Wordpress Plug-in Caught Spamming Is Put On Probation 76
chicksdaddy writes "Social Media Widget, a free plug-in for the WordPress blogging platform with more than a million downloads, was restored to WordPress's official plugin directory on Thursday, days after it was found injecting WordPress websites with spam links to web sites offering Pay Day Loans. In a post on a support forum for Social Media Widget (SMW), Samuel Wood, a WordPress administrator, said that WordPress was willing to give SMW and its owner a second chance after he claimed to have been the victim of a contract developer gone rogue. 'Naturally we do take a very hard line on spam, and obviously an author putting malicious code into a plugin is enough grounds for us to bring down the ban hammer,' Wood wrote on Friday. 'But there are natural circumstances where an author may not be at fault.' SMW appears to be such a case. It is one of the 20 most popular WordPress add-ons and allows WordPress web site operators to include links to their other social media accounts. Brendan Sheehan, the owner of SMW, said, 'We trusted the wrong people with our plugin code and take full responsibility. We are a marketing company at heart and are not actually developers, so in order to provide major updates and improvements, we had to seek outside help. Some of these people deceived us and abused our trust and naivety...We will not make this mistake again.' Wood said the folks at Wordpress decided to accept that story — but that they're watching SMW closely. 'Basically, the current maintainer is not a professional programmer, and put his trust in the wrong freelancers to do the coding work for him...We'll be watching the plugin for changes,' he said. 'The plugin is back up for now, and as long as it stays clean, it's fine.'"
Well, I guess I won't be using WordPress soon. (Score:5, Insightful)
That's a nice attitude to have. "The author of this plugin was caught injecting malicious code into every website using it, but we'll keep it on the downloads page so long as he agrees to follow the honour system?"
How fucking stupid do you have to be?
Re:That's fucking stup-- (Score:5, Insightful)
I know! We'll write everything in-house instead! Once I've got my custom language compiling, I'll start work on the relational database engine. We should have the site finished some time in 2030.
Sooner or later, you're going to have to trust someone else's code. I guarantee you, whatever projects you work on, you're using someone else's code for something, and probably sight-unseen.
Troll (Score:5, Insightful)
That's fucking par for the course for PHP devs...
And there's the troll.
marketing (Score:5, Insightful)
IOW, "we are scum whose very purpose in life is to force unwanted messages into your eyes and ears, but trust us that this incident of unwanted messages was accidental."
Re:Troll (Score:5, Insightful)
Is it still trolling if it's true?
Teach them to read diffs! (Score:3, Insightful)
For f*cks sake, there's no reason a supervisor shouldn't at least run a diff of the code and recompile (if applicable) before pushing a release. Unless there are huge changes, it shouldn't take more than 10 minutes. If anything looks really weird or out of place, start asking questions, preferably to someone else.
Re:That's fucking stup-- (Score:4, Insightful)
You can not trust every single piece of code you see while at the same time reusing other people's code, it's naive to make the leap of logic you did.
And I never said you did; the leap of "logic" was on the part of the GP, not me. He said, and I paraphrase, if you install code you haven't reviewed, you deserve whatever you get. I said that, sooner or later, you must trust some code, not that every random piece of code is worthy of trust.
And in this case, it's quite possible that people did perform a review of this plugin; after all, it hasn't been spamming the whole time it's been available. They performed an update on their plugin without vetting the update. Sure, that's not best practice, but I do the same thing on my personal computer at home all the time, even if I don't do it on my production systems. If I hosted a podunk little blog on Wordpress? I probably wouldn't vet every "security patch" for every plugin I used either.
GP is a great big case of "blame the victim" mentality. Someone was malicious. They deliberately inserted malicious code into a trusted repository.
Re:That's fucking stup-- (Score:3, Insightful)
foreach (array('PHP', 'Perl', 'Java', 'C', 'C++', 'Javascript') as $language) {
}
"There does not now, nor will there ever exist, a programming language in which it is the least bit hard to write bad programs." -- Lawrence Flon
Re:That's fucking stup-- (Score:0, Insightful)
Per my experience with PHP, your one-liner will eventually break in some strange way. It really is the worst.
Re:That's fucking stup-- (Score:4, Insightful)
Sooner or later, you're going to have to trust someone else's code. I guarantee you, whatever projects you work on, you're using someone else's code for something, and probably sight-unseen.
It's not everyone's code you can't trust.
It's only (1) the code you will actually distribute with your software, and (2) uncommon dependencies that are not part of widely used software packages.
And even then, you have to be able to trust the code of people working for you; e.g. the coders you hire. If you can't do that, then you can't get anything done.
So you should check into their background, and make sure the people you hire to make your code are either under a good contract or surety bond that protects your interest, and effects some risk transfer by providing you the right to sue for damages, especially, in case of obvious or provable malice.
That way you align your worker's interest with yours, by ensuring that if they conduct an intentional abuse they are at risk.