Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Open Source Security IT

WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext 76

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. "This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user's password is collected (in cleartext) and sent to his server. WordPress hasn't moved in to ban the plugin just yet, despite user complaints.
This discussion has been archived. No new comments can be posted.

WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

Comments Filter:
  • by Herve5 ( 879674 ) on Saturday March 05, 2016 @06:54AM (#51642907)

    I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

    • So somebody did the needful?

    • by Anonymous Coward

      I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

      So; wordpress reacts to bad publicity not to threats to their users. That's actually worse than if they did nothing because if they did nothing we'd hear about it all the time whereas now the questions are, "What else did Wordpress manage to close down just before it got written about on Slashdot? What else is Wordpress hiding?"

      Somewhere there are wordpress users who have installed this and either have not yet had their credentials stolen or have not yet had them used against them. Notifying their users

      • by Sadsfae ( 242195 )

        I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

        So; wordpress reacts to bad publicity not to threats to their users. That's actually worse than if they did nothing because if they did nothing we'd hear about it all the time whereas now the questions are, "What else did Wordpress manage to close down just before it got written about on Slashdot? What else is Wordpress hiding?"

        Somewhere there are wordpress users who have installed this and either have not yet had their credentials stolen or have not yet had them used against them. Notifying their users should be the top priority. This should be front page on their site [wordpress.com]. This should be the top news on their blog [wordpress.com]. There is nothing there. Wordpress is still hiding things and letting down their users. This posting is not nearly aggressive enough.

        Wordpress.com is very different than the community wordpress.org, one is a commercial entity that offers free and paid hosted wordpress services and the latter is the upstream/open source wordpress community that offers wordpress for self-hosting.

        Neither of these entities are responsible for or have any control over 3rd party plugins like the one mentioned in the article. This would be like blaming Microsoft for someone releasing Win32 shareware that hijacked credentials.

        • by Dunbal ( 464142 ) *
          Microsoft gets blamed for security holes all the time, and these are exploited by 3rd parties. Your last point makes no sense.
          • Re: (Score:2, Interesting)

            by Megol ( 3135005 )

            Your post doesn't make sense! Observe that we aren't talking about a bug or backdoor in a MS product, just that software that uses the public API to do something. So do you really blame MS when someone downloads something that can run on a Windows machine and it happens to be malware?

            If so I hope you blame Linus whenever someone installs some malware on their Linux machine...

        • by Anonymous Coward

          wordpress.org is hosting this plugin

      • Actually, as soon as we were notified of the issue, the plugin was closed and hidden on a temporary basis until we had time to evaluate the problem. Once we had done so, I personally created a new version of the plugin, without the malicious code, and pushed it to the repository in order to get the update out to the affected users. The existing committers were all removed, leaving the plugin entirely in the hands of the plugin team. The latest version is now safe and will not be otherwise until we determine

    • I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

      There is typically a delay between submitting a story to Slashdot and it actually being posted. This delay can account for changing facts in a case that is unfolding as the reporting on it progresses.

      What we need is more rigour on posting updates to stories where the facts change while the story is still fresh.

      • by creimer ( 824291 )

        What we need is more rigour on posting updates to stories where the facts change while the story is still fresh.

        Like how The New York Times kept changing the content of an exclusive story on its website?

        http://www.poynter.org/2015/new-york-times-changes-its-hillary-clinton-story-again/360545/ [poynter.org]

        • Like how The New York Times kept changing the content of an exclusive story on its website?

          NO! Not at all. Not even in the slightest. I never said "change the content". I said "Posting Updates".

          I.e. if I had an edit button above I would write:
          Update 06/03/16: It seems most Slashdot posters think everything is some nefarious conspiracy.

    • So, you're saying they don't need the BadPress(tm)?

    • I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

      WP deserve all the criticism they get. Publishing a plugin architecture so open to privilege escalation should be illegal. They claim to be secure against common attacks. Yet privilege escalation via plugin doesn't count?

      From the Wordpress web site.. "Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top 10 list identified by The Open Web Application Security Project (OWASP) as common security vulnera

      • by KGIII ( 973947 )

        > Publishing a plugin architecture so open to privilege escalation should be illegal.

        Really? Illegal? Really?

        • > Publishing a plugin architecture so open to privilege escalation should be illegal.

          Really? Illegal? Really?

          Yes. When you also make claims that your software is secure.

    • by meadow ( 1495769 )
      Only a ban on the plugin? No prosecution? He committed a serious felony against thousands of people. So the government does nothing about it? Yeah, because they only shit their pants when someone tries to hack into their systems. To hell with the public.
  • by dbIII ( 701233 ) on Saturday March 05, 2016 @07:30AM (#51642977)
    Seriously guys, I know it's the quick and lazy way to put together a website but it's obvious that this sort of thing is going to happen in that creaking pile of php intentional or otherwise.
    • by Bengie ( 1121981 )
      The real question is why the web daemon even had permission to modify files.
    • Indeed, it might be said that wordpress itself is malware.
  • I RTFA an apparently it's just a bug in the Plugins auto-update. Albeight a WP bug, that has the potential to bring down the entire site and/or expose the sites core. But we're talking about WP, so no big surprise here.

    Important rule for WP: Avoid plugins where possible, they're often even worse than legacy WP code itself.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Jesus man, RTFA once in a while. It's completely, 100%, malicious intent. It adds a admin user to the site with the devs name/group name, and in case he couldn't login he used the backdoor to upload custom php script onto the installation to modify the wp-options file.

      When is the last time you've "accidentally" introduced a bug that send all user logins to a server in India in cleartext by mistake? Does the fact that this plugin was dead for a year and suddenly has this new superpower not worry you?

    • Re: (Score:3, Funny)

      by Anonymous Coward

      First rule of Wordpress: never use any plugins or themes
      Second rule of Wordpress: never use stock wordpress without additional plugins to fix security

      Make sure to follow both rules at all times or don't use Wordpress at all.

      • Re: (Score:3, Funny)

        by drinkypoo ( 153816 )

        First rule of Wordpress: never use

        Here, FTFY: Your comment could have just stopped here. You could also omit the first three words without compromising it in any relevant way.

        • Hm, you just compressed 230 characters into 9, a 96% lossless compression ratio. Even better, the compressed file is still readable and can in fact be read much faster. If you could write a program to do this automatically, it could save us all so much reading time.

          PS: I tried to write a program to compress text to it's bare meaning, but it was buggy. When I tested it on the latest politician's speech, it just outputted "null".

        • Wordpress can be made pretty safe, but the default install is subject to all sorts of mischief and malicious twiddling. And the plugins are the Achilles Heel of Wordpress, no doubt about it.

          There are, however, several good plugins that can be used to harden Wordpress, most notably is one called 'Wordfence'. I don't do many WP installs but for me it's absolute must-have plugin; it has loads of options to harden the system.

          Outside of that, do all the usual stuff- move the config file, make it read-only, don't

  • Where is the pride that people use to have? At least use encryption to send the passwords back to your site! I mean, what's the point of gathering all of those passwords if you are going to send them plain text for all of the world to see. Probably sent them directly to the final site too instead of round about way that's hard to trace.

  • What's GD name OTF plug in?
    • JC! I had to RTFA to find out it's called "Custom Content Type Manager (CCTM)"
      • Amusingly, custom content types are a core Drupal feature. So here's another example of people trying to get functionality that's already in Drupal into their crappy WordPress install... and getting taken advantage of as a result.

        Yeah, nobody's perfect, Drupal had a hole in the database security layer not too long ago... but it ain't WordPress. Even if that's the best thing you can say about it, it's still inexplicable why people still choose to install WP.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (8) I'm on the committee and I *still* don't know what the hell #pragma is for.

Working...