Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security The Internet Communications Network Privacy

WordPress Auto-Update Server Had Flaw Allowing Persistent Backdoors In Websites (theregister.co.uk) 33

mask.of.sanity quotes a report from The Register: Up to a quarter of all websites on the internet could have been breached through a since-patched vulnerability that allowed WordPress' core update server to be compromised. The since-shuttered remote code execution flaw was found in a php webhook within api.wordpress.org that allows developers to supply a hashing algorithm of their choice to verify code updates are legitimate. Matt Barry, lead developer of WordPress security outfit WordFence, found attackers could supply their own extremely weak hashing algorithm as part of that verification process, allowing a shared secret key to be brute-forced over the course of a couple of hours. The rate of guessing attempts would be small enough to fly under the radar of WordPress' security systems. Attackers that used the exploit could then send URLs to the WordPress update servers that would be accepted and pushed out to all WordPress sites. Web-watching service W3techs.com reckons those sites represent 27.1 per cent of the entire world wide web. "By compromising api.wordpress.org, an attacker could conceivably compromise more than a quarter of the websites worldwide in one stroke," Barry says. "We analyzed [WordPress] code and found a vulnerability that could allow an attacker to execute their own code on api.wordpress.org and gain access to it. Compromising this [update] server could allow an attacker to supply their own URL to download and install software to WordPress websites, automatically." Attackers could go further; once a backdoored or malicious update was pushed out, they could disable the default auto updates preventing WordPress from fixing compromised websites.
This discussion has been archived. No new comments can be posted.

WordPress Auto-Update Server Had Flaw Allowing Persistent Backdoors In Websites

Comments Filter:
  • by TFlan91 ( 2615727 ) on Wednesday November 23, 2016 @09:17AM (#53345563)

    You could've just left the summary as "Wordpress".

    Would've conveyed the same message.

  • by Big Hairy Ian ( 1155547 ) on Wednesday November 23, 2016 @09:24AM (#53345581)
    That someone thinks hacking Wordpress is news or that 25% of the internet runs on Wordpress :|
    • Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

      Set a man a fire

      Set a man afire

      It actually makes sense that way.

  • I'm converting my WordPress websites to static websites, removing PHP and database from the backend. The Russian and Southeast Asian hackers can kiss my shiny text files.
    • Why not convert them all to ASCII text, no images, no colors, and only allow download from a 2400 or less baud modem for that really authentic 1990 feel?
      • Why not convert them all to ASCII text, no images, no colors, and only allow download from a 2400 or less baud modem for that really authentic 1990 feel?

        Because I still want my JavaScript. :P

  • I ran a low traffic WordPress blog for many years. WordPress has many great features but between insecure plugins and a constantly updating core system, it just takes too much time to administer for someone who just wants to host a simple no-fuss blog.

    My advice is for anyone starting a personal blog is to either use a WordPress hosting company or just go with something like Tumblr. You don't get the flexibility, but your life will be easier.

    I got so fed up that I wrote my own static site generator to run my [sheep.horse]

    • And if you want to play with something a bit more technical, I would recommend Pelican [getpelican.com]. As creimer said above: static is the way to go for a lot of people. You write your posts in markdown, then compile to HTML, then upload to your hosting. No database, no management, no worries, no patching.

      • That's exactly how my site works - it turns a folder structure of markdown(ish) files into a folder structure of indexed and cross-linked html, then rsync's the result to my server. No database, no dependencies, just files and a python script or two.

        I even exported and converted 400 posts from WordPress using a small script.

        I looked at pelican at the time. I can't remember why I didn't use it, but rolling my own was a fun project.

    • WordPress has many great features but between insecure plugins and a constantly updating core system, it just takes too much time to administer

      This. A thousand times.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Wednesday November 23, 2016 @01:10PM (#53347591)

    WordPress has north of 100 Million active installations on the web (100 000 000+).
    Again, in words: thats more than one-hundred-million in active, running installations on the web.
    The last critical exploit was about half a year ago and had infected roughly 8000 installations by the time it was patched

    I don't know about you, but I'd say that's a pretty impressive security track record for a piece of software written on Crack, in PHP, by people who didn't have the slightest idea about software architecture back in 2001, mostly running on LAMP and that gets installed and run by n00bs 99.99 % of the time and is constantly exposed to the open intarweb and an onslaught of permanent attacks.

    Try that with any OOAD-buzzword-compliant 'cleanroom designed' Java or Ruby thingie. Good luck.

    My 2 cents.

Adding manpower to a late software project makes it later. -- F. Brooks, "The Mythical Man-Month"

Working...