WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. "This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user's password is collected (in cleartext) and sent to his server. WordPress hasn't moved in to ban the plugin just yet, despite user complaints.

Re:

[__aaclcg7560]

And suddenly, it's like, "BEEP BEEP BEEP" and then, like, half my blog post was gone.

You should have composed your blog post in a separate text file, copy and paste into WordPress editor, and finalized the blog post.

Re:

[JustAnotherOldGuy]

You should have composed your blog post in a separate text file, copy and paste into WordPress editor, and finalized the blog post.

Whoosh!

Enlightenment: https://www.youtube.com/watch?... [youtube.com]

Re:

[__aaclcg7560]

Whoosh!

I'm using a PC. That's why I gave my advice. ;)

Re:

[KGIII]

I read that not once, but twice, as "I'm used to being PC." I guffawed.

Re:

[__aaclcg7560]

I read that not once, but twice, as "I'm used to being PC." I guffawed.

I want to be a Mac. But my insurance doesn't cover those kinds of computational operations.

plugin has been suppressed from the wordpress site

[Herve5]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

Re:plugin has been suppressed from the wordpress s

[Hognoxious]

So somebody did the needful?

Re:

[invictusvoyd]

You mean stopped using wordpress ?

Re:

[Sax Russell 5449D29A]

I believe somebody just rebooted the server.

Re:

[Anonymous Coward]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

So; wordpress reacts to bad publicity not to threats to their users. That's actually worse than if they did nothing because if they did nothing we'd hear about it all the time whereas now the questions are, "What else did Wordpress manage to close down just before it got written about on Slashdot? What else is Wordpress hiding?"

Somewhere there are wordpress users who have installed this and either have not yet had their credentials stolen or have not yet had them used against them. Notifying their users

Re:

[Sadsfae]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

So; wordpress reacts to bad publicity not to threats to their users. That's actually worse than if they did nothing because if they did nothing we'd hear about it all the time whereas now the questions are, "What else did Wordpress manage to close down just before it got written about on Slashdot? What else is Wordpress hiding?"

Somewhere there are wordpress users who have installed this and either have not yet had their credentials stolen or have not yet had them used against them. Notifying their users should be the top priority. This should be front page on their site [wordpress.com]. This should be the top news on their blog [wordpress.com]. There is nothing there. Wordpress is still hiding things and letting down their users. This posting is not nearly aggressive enough.

Wordpress.com is very different than the community wordpress.org, one is a commercial entity that offers free and paid hosted wordpress services and the latter is the upstream/open source wordpress community that offers wordpress for self-hosting.

Neither of these entities are responsible for or have any control over 3rd party plugins like the one mentioned in the article. This would be like blaming Microsoft for someone releasing Win32 shareware that hijacked credentials.

Re:

[Dunbal]

Microsoft gets blamed for security holes all the time, and these are exploited by 3rd parties. Your last point makes no sense.

Re:

[Megol]

Your post doesn't make sense! Observe that we aren't talking about a bug or backdoor in a MS product, just that software that uses the public API to do something. So do you really blame MS when someone downloads something that can run on a Windows machine and it happens to be malware?

If so I hope you blame Linus whenever someone installs some malware on their Linux machine...

Re: plugin has been suppressed from the wordpress

[hackwrench]

I t depends. Does Microsoft make the theoretical program available through Windows Store?

Re:

[Anonymous Coward]

wordpress.org is hosting this plugin

Re: plugin has been suppressed from the wordpress

[Otto]

Actually, as soon as we were notified of the issue, the plugin was closed and hidden on a temporary basis until we had time to evaluate the problem. Once we had done so, I personally created a new version of the plugin, without the malicious code, and pushed it to the repository in order to get the update out to the affected users. The existing committers were all removed, leaving the plugin entirely in the hands of the plugin team. The latest version is now safe and will not be otherwise until we determine

Re:

[thegarbz]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

There is typically a delay between submitting a story to Slashdot and it actually being posted. This delay can account for changing facts in a case that is unfolding as the reporting on it progresses.

What we need is more rigour on posting updates to stories where the facts change while the story is still fresh.

Re:

[__aaclcg7560]

What we need is more rigour on posting updates to stories where the facts change while the story is still fresh.

Like how The New York Times kept changing the content of an exclusive story on its website?

http://www.poynter.org/2015/new-york-times-changes-its-hillary-clinton-story-again/360545/ [poynter.org]

Re:

[thegarbz]

Like how The New York Times kept changing the content of an exclusive story on its website?

NO! Not at all. Not even in the slightest. I never said "change the content". I said "Posting Updates".

I.e. if I had an edit button above I would write:
Update 06/03/16: It seems most Slashdot posters think everything is some nefarious conspiracy.

Re:

[LittleBigScript]

So, you're saying they don't need the BadPress(tm)?

Re:

[TechyImmigrant]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

WP deserve all the criticism they get. Publishing a plugin architecture so open to privilege escalation should be illegal. They claim to be secure against common attacks. Yet privilege escalation via plugin doesn't count?

From the Wordpress web site.. "Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top 10 list identified by The Open Web Application Security Project (OWASP) as common security vulnera

Re:

[KGIII]

> Publishing a plugin architecture so open to privilege escalation should be illegal.

Really? Illegal? Really?

Re:

[TechyImmigrant]

> Publishing a plugin architecture so open to privilege escalation should be illegal.

Really? Illegal? Really?

Yes. When you also make claims that your software is secure.

Re:

[meadow]

Only a ban on the plugin? No prosecution? He committed a serious felony against thousands of people. So the government does nothing about it? Yeah, because they only shit their pants when someone tries to hack into their systems. To hell with the public.

Re:Truly irresponsible

[Dunbal]

The developer should be extradited

Why? He didn't hack a movie studio or a music studio, nor did he hack the government. Extradited, hahahahahahahahaha oh wait you were serious...

This took longer to happen than I thought

[dbIII]

Seriously guys, I know it's the quick and lazy way to put together a website but it's obvious that this sort of thing is going to happen in that creaking pile of php intentional or otherwise.

Re:

[Bengie]

The real question is why the web daemon even had permission to modify files.

Re:

[Bengie]

That's just asking for trouble. There should be a separate helper interface daemon that is heavily locked down and well tested that can modify files.

Re:

[phantomfive]

Indeed, it might be said that wordpress itself is malware.

Chill. It's just a buggy update feature.

[Qbertino]

I RTFA an apparently it's just a bug in the Plugins auto-update. Albeight a WP bug, that has the potential to bring down the entire site and/or expose the sites core. But we're talking about WP, so no big surprise here.

Important rule for WP: Avoid plugins where possible, they're often even worse than legacy WP code itself.

Re:

[Anonymous Coward]

Jesus man, RTFA once in a while. It's completely, 100%, malicious intent. It adds a admin user to the site with the devs name/group name, and in case he couldn't login he used the backdoor to upload custom php script onto the installation to modify the wp-options file.

When is the last time you've "accidentally" introduced a bug that send all user logins to a server in India in cleartext by mistake? Does the fact that this plugin was dead for a year and suddenly has this new superpower not worry you?

Re:

[Anonymous Coward]

First rule of Wordpress: never use any plugins or themes
Second rule of Wordpress: never use stock wordpress without additional plugins to fix security

Make sure to follow both rules at all times or don't use Wordpress at all.

Re:

[drinkypoo]

First rule of Wordpress: never use

Here, FTFY: Your comment could have just stopped here. You could also omit the first three words without compromising it in any relevant way.

Re:

[penguinoid]

Hm, you just compressed 230 characters into 9, a 96% lossless compression ratio. Even better, the compressed file is still readable and can in fact be read much faster. If you could write a program to do this automatically, it could save us all so much reading time.

PS: I tried to write a program to compress text to it's bare meaning, but it was buggy. When I tested it on the latest politician's speech, it just outputted "null".

Re:

[JustAnotherOldGuy]

Wordpress can be made pretty safe, but the default install is subject to all sorts of mischief and malicious twiddling. And the plugins are the Achilles Heel of Wordpress, no doubt about it.

There are, however, several good plugins that can be used to harden Wordpress, most notably is one called 'Wordfence'. I don't do many WP installs but for me it's absolute must-have plugin; it has loads of options to harden the system.

Outside of that, do all the usual stuff- move the config file, make it read-only, don't

What's the world coming to?

[CanadianMacFan]

Where is the pride that people use to have? At least use encryption to send the passwords back to your site! I mean, what's the point of gathering all of those passwords if you are going to send them plain text for all of the world to see. Probably sent them directly to the final site too instead of round about way that's hard to trace.

Hay timmy, DA

[LifesABeach]

What's GD name OTF plug in?

Re:

[LifesABeach]

JC! I had to RTFA to find out it's called "Custom Content Type Manager (CCTM)"

Re:

[drinkypoo]

Amusingly, custom content types are a core Drupal feature. So here's another example of people trying to get functionality that's already in Drupal into their crappy WordPress install... and getting taken advantage of as a result.

Yeah, nobody's perfect, Drupal had a hole in the database security layer not too long ago... but it ain't WordPress. Even if that's the best thing you can say about it, it's still inexplicable why people still choose to install WP.

The name of the plugin belongs in the summary

[rcharbon]

Doesn't it?