WordPress.org Hacked, Plugin Repository Compromised

An anonymous reader writes "Back in April hackers gained access to the WordPress.com servers and exposed passwords/API keys for Twitter and Facebook accounts. Now, hackers gained access to Wordpress.org and the plugin repository. Malicious code was found in several commits including popular plugins such as AddThis, WPtouch, or W3 Total Cache. Matt Mullenweg decided to force-reset all passwords on WordPress.org. This is a great reminder for all users not use the same password for two different services."

A great remainder...

[hammarlund]

and a great reminder as well.

Re:

[denis-The-menace]

5/2=2
1 is the remainder.

Idiocracy here we come!

Re:

[pushing-robot]

Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

Re:

[BarryJacobsen]

Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

But the typos are a subtraction.

Re:

[DrBoumBoum]

And in addition to that a distraction.

Re:

[Mordok-DestroyerOfWo]

Multiplying the discord among slashdotters!

Re:

[Thud457]

I don't appreciate your divisive comments!

Re:

[Tetsujin]

Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

Please excuse my dear aunt Sally. She's very pedantic about these sorts of issues.

Does that mean...

[ArsenneLupin]

... that Wordpress will now stop replacing quotes and doublequotes in users' contributions with bird droppings?

If so, yay!

Year of the Hacker

[wjousts]

It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

Gonna be a tough year for IT security "professionals".

Re:Year of the Hacker

[SatanClauz]

Tough year? How about the year people finally realize security "professionals" are actually NEEDED!

Re:

[wjousts]

That was kinda my point. It's going to be the year when the "professionals" get separated from the Professionals.

Re:

[SatanClauz]

Ah, yes. Good point! You mean the custodian's brother that knows how to turn on windows firewall shouldn't be doing my security? =cO

Re:

[S.O.B.]

I think it's more basic than that, business units in big corps need to realize that they have to stop squeezing IT budgets. I've personally had to to fight for security and stability fixes/patches because if they can't see it then they won't pay for it. Of course there's always plenty of money for a new feature or a new pretty graphic.

They have security professionals but any actions they recommend that actually cost money are ignored or deferred until they have an actual problem.

Re:

[Jawnn]

Tough year? How about the year people finally realize security "professionals" are actually NEEDED!

Word. Maybe, just maybe, some suits will decide that, "Gee. Maybe we should spend some serious money on security..."
You know, like actually real actual security professionals and buy basic tools that would prevent many of hacks we've read about.
[pauses...] Naaaahh.

Re:

[Lumpy]

They hire minimum wage lackeys for the physical security... what makes you think they will hire someone skilled for the IT security?

Re:

[CastrTroy]

The problem is that there is no proper definition of "professionals" as far as computer security is concerned. Professional usually means somebody that is licensed by a state overseen organization to work in a specific field. This includes medical doctors, lawyers, engineers (some countries), and accountants among others. I don't believe that there exists any similar oversight for licensing of computer network security personnel. There are a lot of certifications put out by the likes of Cisco, Oracle, M

Re:

[MrNemesis]

people finally realize security "professionals" are actually NEEDED!

Or, if you know some of the people I've worked with, it'll be more a "as soon as the authorities have caught up with these LulzSec people, there won't be any more haXx0ring vectors, so what's the point in patching the servers? It's not like WE'D be a target anyway!". IME most companies won't give a shit about easily enforced and executed pre-emptive security until there's a thousand trojans running around the network and the entire company

Re:

[Anonymous Coward]

Tough? Lucrative is more the word I would use.Imagine all those CTO's messing themselves that they could be next, willing to pay over the odds to get a quick fix in.

Make hay while the sun shines!

Re:

[wiredog]

That's been every year since, oh, sometime in the last quarter of the last century.

Re:

[ygbsm]

You mean year of the criminal scum bag, right? Its time our community quit treating some of these guys like heros and freedom fighters - they're vandals, crooks, and theives, and need to be treated as such. There are no "grey hats" - you're either a white hat or a black hat, and you can't be both.

Re:

[Hatta]

They're *all* grey hats.

Re:

[ArhcAngel]

That sounds eerily similar to what the king of England said a little over 200 years ago when tea [boston-tea-party.org] was dumped [wikipedia.org] in a harbor [eyewitnesstohistory.com] by some "criminals" [socialstudiesforkids.com].

Re:

[nicolastheadept]

Yep "criminals". Slave owning, native killing, tax dodging "criminals".

Re:

[billcopc]

Don't delude yourself. Without these high-profile vandals, we'd all be running around with "1-2-3-4-5" as our password, ripe for the real bad guys to plunder. At least these pranksters are raising awareness while causing relatively small damage.

I'm still amazed at the frequency of these high-profile breaches, mostly because developers and business owners should know better by now, but that's largely because I easily forget the fact that most people are terminally stupid. I distinctly recall one morning w

Re:

[wjousts]

Yes. I don't consider them heroes either. At best they are an angry mob, and mob rule isn't a desirable thing either.

Re:Year of the Hacker

[X.25]

It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

Gonna be a tough year for IT security "professionals".

Professionals left that world and went onto other things when suits concluded that security products are enough.

So now, it'll be hackers vs security products and trained monkeys. Fun all around.

Re:

[sqldr]

I can't wait for this year's version of this:

http://pwnies.com/
We all had a good laugh at microsoft's CSS "protection" code, but compared to this year, microsoft are starting to look quite good..

plain text.... really?

[datapharmer]

Perhaps someone is just sniffing their email They send all the password plain text! WTF mate?

Re:

[L-four]

bitches dont know about my plain text passwords.

store hash instead of password

[Anonymous Coward]

Is it too difficult to, instead of storing the actual passwords, store a hash and during authorization just compare the hashes?

Re:

[Otto]

WordPress does only store password hashes, using the PHPass hashing library.

Re:

[ChrisMP1]

Three out of your last six posts were self-promotion. Go away.

Re:

[Phreakiture]

That's fine until someone comes along with a rainbow table . . .

Re:

[KiloByte]

That's bland. Needs salt.

Re:

[Phreakiture]

Dude! I wish I could mod you up for that.

A great reminder?

[iateyourcookies]

"This is a great remainder [sic] for all users not use the same password for two different services."

Not it's not. Not even slightly.

The amount of mental effort required by users to memorise a different password for every internet site is at best unreasonable, if not a completely insane idea. While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

Blaming the user here is unreasonable.

Re:

[madhatter256]

It is good practice to use multiple passwords for different services.

I do it and I have A LOT of passwords to memorize. Luckily, I wrote them down on a piece of paper and have that kept in a safe place as I do tend to forget those that I hardly visit from time to time.

Now I know writing passwords in a text document and saving it on your PC is stupid, but writing it down on a peice of paper isn't. It's about how it's written, if you write passwords and leave it in your jewelry box or personal safe or with

Re:

[ccguy]

It is good practice to use multiple passwords for different services.

What good is that when you can reset/recover all passwords using the same email account?

Re:

[Grauwyler]

It is good practice to use multiple passwords for different services.

What good is that when you can reset/recover all passwords using the same email account?

Then you just need a unique email account for each service that you sign up for.

Re:

[heypete]

Google Mail, as an example, supports two-factor authentication (either with a smartphone app, a pre-printed list of one-time codes, or SMS messages to mobile phones). Enabling this feature makes it much more difficult for bad guys to compromise an account.

Re:

[Otto]

Use an encrypted password storage system like 1Password or LastPass. Yes, it's not perfect, but what is? Passwords that don't look like line noise are vulnerable nowadays.

Re:

[jank1887]

got it. will only ever log in from a single PC/mobile device. no need to remember more than 1 password evar.

Re:

[somersault]

The user could just put the name of the website into the email. That will make it easy for someone to figure out their password scheme if they always use the same format of websitename-mypassword, but if they use it only for sites which store hashes, then it's going to be extremely unlikely that anyone will crack their passwords through pure brute force..

Re:

[ZaMoose]

Their site wasn't compromised AFAICT. Three plugin developers' accounts were compromised (passwords guessed?) and SVN checkins containing backdoors were pushed into their respective (fairly popular) plugins. This was intended to push malware out to individual WordPress installs.

Re:

[pongo000]

While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

I was going to mod this up, but thought it might be a good time for my annual suggestion of using passphrases [diceware.com] instead of random sequences of characters. Much easier to remember, and a short 3-word passphrase (maybe with a random character to increase entropy) usually satisfies the moronic

Re:

[BlackPignouf]

https://www.pwdhash.com/ [pwdhash.com]

You're welcome!

Re:

[robmclarty]

Totally agree. Seriously, what have we got? Facebook, Google, Twitter, Github, Slashdot, Personal Sites, Banking, OmniAuth.... If I had a different, unique, strong password for each of these services my head would explode. Obviously you wouldn't want to use the same password for banking as you would for Twitter, but grouping things into manageable chunks is a must (e.g., all-social-networks-password, banking-password, all-personal-sites-password). But don't get me started on banks' online "security" with t

Re:

[tlhIngan]

Also, there's also the level of importance of the site to the user.

Some random blogger's website? My NYTimes login? Minor forums I visit? I'll just use the same damn password. Who cares if it's hacked? So someone could post as me. If that site becomes more important, then I can always change the password later.

My online banking/paypal/ebay/amazon/windows live/google password? nice secure and different (all linked to valuable accounts and services). My twitter/blog/NYTimes/slashdot/gawker/etc password? simpl

Re:

[Tsar]

"This is a great remainder [sic] for all users not use the same password for two different services."

Not [sic] it's not. Not even slightly.

Respectfully, I beg to differ. I'm running a password manager to keep track of all my passwords, online and otherwise. I'll never go back, and neither should you.

Except for my password to the app itself (which is absurdly long but memorized and periodically changed), all my passwords are unique, cryptographically secure random printable-character strings of the maximum length allowed by each system or 255 characters, whichever is shorter. I keep three deeply-encrypted copies stored remotely, so unless

Slayers episode 17: A great reminder?

[Tetsujin]

Yeah, this _is_ a great reminder. Just use KeePassX (http://www.keepassx.org/) or something similar...

I can't recommend this product highly enough. I've used Keep Ass X on my website for years, and I would certainly say it lived up to its promise of covering my ass!

Re:

[not-my-real-name]

While it wouldn't be a good idea to write your password on a post-it stuck to your monitor at work, it might not be a bad idea to write your personal passwords for on-line services in a notebook that you keep at home. This way you can use multiple secure passwords for your on-line services.

Wrong as usual

[gaspyy]

The summary is incorrect as usual.

Some contributors' accounts were compromised, resulting in updates containing backdoors appearing from those contributors. The blog entry mentions AddThis, WPtouch and W3 Total Cache. The WordPress.org plugin repository was not hacked.

Re:

[Hatta]

If you've been hacked, you have to assume there's a root kit. Unless you have checksums for every file on the machine, and scan it from a system on read only media, there's no way to prove there's not a back door you haven't discovered yet.

AddThis

[Megane]

...and nothing of value was lost. (Thank you AdBlock Plus for letting me banish that piece of rollover crap.)

Seems like black ops to me now.

[unity100]

there is WAY too many hacking going on. and for some twist of fate, this just predates the pending internet censorship/control scheme vote in american senate. and, american sources are attacked. way too many 'coincidence'.

either this is some shady operation, or there is no course called 'statistics' on this planet.

Re:

[stderr_dk]

And we all know from 'statistics' that correlation does not imply causation.

...but it does waggle its eyebrows suggestively and gesture furtively while mouthing 'look over there' [xkcd.com].

Re:

[unity100]

when the correlation goes statistically improbably congruent, it implies causation - direct or indirect.

Completely irrelevant

[Dunbal]

This is a great remainder for all users not use the same password for two different services.

And how is this going to result in a hacked website? Breaking into a user account should not give you administrator privileges. No, this is a great reminder to secure your fucking website against SQL injection, once again. Never trust your users just because they are "logged in". Now of course if the administrator of the website was using the same login/password as his gmail account or something then yes, he should be shot.

Updated AddThis on one of my sites on the 19th

[stephathome]

I think this may explain why, when I updated AddThis on some of my sites, it caused the white screen of death instead. So far the sites look ok, but now I need to go over them in more detail.

Summary is full of shit, as usual

[billcopc]

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back

Three popular plugins. Yes, they're popular, I've used all three on several sites.

THAT'S IT! That is the extent of the damage. Three plugin authors whose passwords were exposed. Nobody "gained access to [...] the plugin repository". Dear submitter, go back to kindergarten and learn to read. It's in the first two goddamned sentences.

This place has gone to the dogs... where the hell is a guy supposed to get his tech news anymore ?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[nstlgc]

So how did they get the passwords of those users in the first place? Why are you believing only those three were the only authors who's passwords were exposed?

And why I'm at it, why so butthurt? Do you have any personal stake in this?

Arrogance from the IT Department

[TellarHK]

As someone that's done a lot of end-user work, it annoys me to see the level of arrogance coming from posts like this one where the idea of using multiple passwords for different services is touted as the Only Responsible Way to do anything online.

It doesn't bother me because it's a bad idea, it bothers me because if it's so goddamned important - why haven't the companies that make our web browsers and operating systems put some fucking effort into building features for this into our infrastructure? I have

Re:

[horza]

See all comments above about KeePassX. It's childs play. It's not a browser plugin, it's an app you can run on any OS including mobile. It's a better solution than you are suggesting. If somebody can handle the concept of a purse or wallet, they can understand KeePassX.

Phillip.

The decision is mine, not yours

[pclminion]

This is a great remainder for all users not use the same password for two different services.

Not really. I divide my logins into two categories: stuff that, if it were all compromised simultaneously, would be inconvenient but otherwise no big deal; and everything else. In the "everything else" category, every password is unique. For the stuff that isn't life or lifestyle critical, I save myself some mental effort and just use the same password.

Oh noes, they got my Slashdot account, my account on some news

Shocked

[Pigskin-Referee]

I have read over 100 virtually useless comments on the events that transpired at Wordpress, yet not one individual, not even the nefarious "Anonymous Coward" has come forward and blamed Microsoft for this dastardly deed. This had led me to the only logical conclusion, a cold day in Hell has finally arrived.

Re:

[Stenchwarrior]

Please say you were joking.

On behalf of the rest of us Americans, please understand that only less than half of the people in our country actually talk and act like this guy; It's not everyone, I assure you.

Re:

[Lumpy]

"Who actually chants "USA! USA! USA!" in America?"

Alabama suicide bombers... Luckily they build the bombs themselves and end up exploding prematurely in a open field.

Re:

[bill_mcgonigle]

"Who actually chants "USA! USA! USA!" in America?"

Northern "conservatives", of the nationalistic jingoist variety.

Re:

[SilentStaid]

Well, Philly is backwards - but it's not Southern.

http://www.myfoxphilly.com/dpp/sports/mlb/phillies/Osama_Bin_Laden_Dead_Citizens_Bank_Park_USA_Chants_050111 [myfoxphilly.com]

Re:

[Danzigism]

Apparently you've never heard of Hacksaw Jim Duggan.... [wikipedia.org]

"USA" chanted in New York City

[perpenso]

Who actually chants "USA! USA! USA!" in America? Is that a southern thing, ...

Apparently you missed the coverage of Times Square the day Bin Laden was killed. There was no shortage of New York City residents chanting for the TV cameras.

Re:

[gnapster]

Well, at least you're not racist.

Re:

[ciderbrew]

America / American is not a race.

Re:

[gnapster]

I didn't say it was.

Re:

[ciderbrew]

I didn't say you did.

Re:

[gnapster]

Cool. Glad we're on the same page.

Re:

[lostmongoose]

Who actually chants "USA! USA! USA!" in America?

I worked with the wealthy snowbirds and the every day racism of Americans drove me back to Germany. Genuine hate towards foreigners from people who's great grand parents stole the land they live on today.

All in the name of freedom, progress and the good old US of A, fuck that, fuck them.

Oh my. A German chiding the people of other nations over hate. That's absolutely hilarious. I needed that laugh today.

Re:

[torgis]

Oh my. A German chiding the people of other nations over hate. That's absolutely hilarious. I needed that laugh today.

Perhaps he feels qualified to comment; the Germans having had much experience in such matters.