The history of hacking a single WordPress plugin - or how you allow vulnerabilities in your projects
A long time ago, when I was young and wrote websites in PHP, I wrote an SEO plugin to disguise external links for Wordpress. Since my imagination is bad, I called it WP-NoExternalLinks. In the entire history he had 360.000 installations and, it seems, up to 50.000 active installations.
Then I will tell you exactly how he got into unscrupulous hands and was used maliciously - but for this you have to dive a little into his history and development environment. Immediately warn you that this story is absolutely real.
Only at first glance it seems that the task of the plug-in is elementary - in fact, it was necessary to implement a bunch of different masking options, take care that it worked with caching plugins, did not conflict with other content parsers, any permalink structures, each new version of Wordpress, and so Further. For about 8 years, I supported this plugin, responded to a bug report and sometimes debugged other sites, the gullible owners of which voluntarily gave me all the passwords and turnout.
At some point, it became clear to me that I have not solved the plugin for many years, I’m not interested in supporting its code, but I don’t get anything from its development. For reference, I will clarify that in the description and on the settings page of the plug-in there were unobtrusive links and buttons with the offer to make a voluntary donation - but in the entire history of the plug-in I received around $ 40. So there was no monetary motivation, development motivation, too, and somehow rather tired that every user for some reason thinks you owe him, since he did install your program or plug-in (it seems many users really think that as soon as they put the program, some kind of cloud spirit gives the developer a bag of money).
')
This is not to say that the world is unfair, and I poured bitter tears of offense - just to make it clear that for several years I supported this plugin only from the strange feeling that users trusted me and I cannot deceive them and stop supporting them. When I look back at these feelings now, I understand that it was a stupid feeling, and I had to calmly bury the plug-in and go about my business. But this is a sensation of me from 2018 - with the advent of two children, priorities change quite a lot.
And at some point a certain citizen came, who offered me a good amount of money for the purchase of a plug-in. Honestly, I was sure that it was some kind of kidalovo, and communicated with him exclusively out of curiosity (well, like with all sorts of Nigerian princes). Skepticism left when we agreed to use one trusted service for this kind of transactions. It was already interesting here - there was a feeling that they would pay me, but I suspected that some kind of vulnerability would quickly appear in the plugin, and therefore I specially prepared a letter to the wordpress support team to instantly block the plugin. But by that time, I almost believed that the plugin really wanted to be purchased to expand the portfolio of a company that is engaged in SEO optimization (this was exactly the motivation that was explained to me).
And you know what happened next? Then I honestly received the money transferred, and a few days later a major update came to the plugin, in which the interface was completely changed and the codebase was reworked (but compatibility was left) - so it became more like code from 2017, rather than 2010 (above this worked as a developer at least Middle level). I was terribly pleased - I found interested people who would support my toy, and who had already brought a lot of good into it, pleasing the users of the plugin.
Nevertheless, I watched the plug-in's code and updates for two weeks, keeping my finger on sending a letter to the wordpress team just in case. But everything was fine and I calmed down.
I would like to stop at this place and end it as a success story, but alas. A few months later, the guys from a third-party wordpress security project contacted me and told me that there was a backdoor in the plugin, and they were interested in the details of how I transferred the rights to it to a new developer. After checking, I made sure that the plugin is really blocked on the wordpress site. Next, I corresponded with wordpress support, the brief results are as follows:
By the way, the bookmark turned out to be not an evil backdoor, but simply added some SEO links to unsuspecting users. Unpleasant, but not as fatal as it could be.
According to the results of communication:
UPD. At the request of those who have a plugin - a “tab” is in the versions of the plugin 4.2.0 - 4.2.2. Version 4.3 was fixed by wordpress support, versions before 4.0 were mine, and in versions 4.0.0 - 4.1.0, the “bookmark” was not added yet. Most likely, your blog has already updated the plugin to secure version 4.3.
For me, the most interesting questions were “would I sell this plugin if I knew that it would be used maliciously?” And “would I do it again if I had an opportunity?”. On the one hand, I would like to believe that no. On the other hand, in fact, I have a choice between “keeping loyalty to people who did not even say thank you for using the results of my work” or “go on vacation with the children with the sea”. Well I do not know. The temptation is serious.
You can say that there are some reputational risks for me here, but ... I am not a company that can be dishonored all over the Internet. And I am not an icon of the development world, I am just one of the millions of developers who occasionally write something in open source. And to be honest - you can not lose a reputation that does not exist. It's amazing that after the sale of the plug-in at least one resource connected my name with it. So - no reputation toffee.
Separately, I note that, in the case when the risks relate to my commercial activity, the picture here is completely different. At my job I get paid money, and I have certain obligations. Repeatedly I received various offers of dubious nature, and I did not accept one — even when I knew that my intervention or data transfer could not be traced. Before commercial projects there is a completely different degree of responsibility - and, oddly enough, not only because they pay me money there, and because I signed 100,500 pieces of paper there. First of all, I feel responsible because they value me there, trust me, and this is shown. Therefore, I cannot betray the trust shown. And, returning to open source ... Here the picture is completely different. For example, in addition to plug-ins, I still have mobile apps. They are supported on several resources, including on w3bsit3-dns.com. And usually the user (I have several thousand of them) goes there to leave a message like “turd doesn’t work” (literal quotation). Well ... When the pull request comes to me after this with updating the binaries from the application dependencies, it is very difficult for me not to score on it or not to accept it blindly, but instead to rebuild it again with my own hands and put a new release.
I repeat - my goal is not to complain about how bad everything is, but just to remind you that in open source no one owes anything to anyone. And you need to take care of the security of any third-party components that you use. Starting from the physical server, where your projects are spinning (if you have an “acquaintance”, then anything is possible), continuing with front-line and back-end components, plug-ins, frameworks, CMS, and so on. And all the problems in the world are not solved by “entering card data into an iframe”, as suggested in a recent article.
What can you do besides watch your safety? At a minimum, you can be more responsible about the fact that you use the work of other developers. See what you are actively using right now. Buy a license for a broken web site two years ago. Pay for the cleverly obtained template that you used in a large order. Set up automatic redemption in favor of web developers. Stop already in each post of PVS Studio to write about how you heroically remove comments from your code in order to use this tool for free. Donate already $ 5 to the Android developer KeePass - he only asks for this on major holidays.
If there is no money, go to the issues and tell us about the problem, or send your pull request. Remember the error that you have in exotic conditions, repeat it and describe to the developer. Make a pull request from your fork, in which you fixed some kind of bug, and this fix is ​​just left with you.
If you have neither the money nor the opportunity to participate in the development - just go and say "thank you" to the developer. This, as you know, you will not be full - but even this pleases the developer and sometimes is an incentive to continue working. It's amazing that in oral communication it is customary to thank for what they are doing for you - but this rule is rarely used in open source development.
By the way, these rules apply not only to development. You can also take a rule - I liked the book read from torrents - buy it. Like music - take part in the crowdfunds of the new album. It seems to be so simple, but very few people do it. Let's help each other and the world will be better. And safer.
As for what you can do as a developer, immediately think about how to support your project. Maybe you can figure out how to get other developers involved. Or offer additional services - for example, support and debugging for a fixed price, or Enterprise solutions based on your project. For example, if I took at least $ 10 for supporting a plugin on user sites, then maybe I would have a good income that would allow not to sell the plugin and continue to develop it. Many consider the monetization of the project to be something bad and initially smelly, but in the end it only allows you to devote a lot of time to the project and take care of its quality.
I apologize for having spent so much of your time reading very obvious things - just experience shows that their obviousness doesn’t affect their application. And this plugin case made me think a lot. I hope you also found it interesting and useful.
Then I will tell you exactly how he got into unscrupulous hands and was used maliciously - but for this you have to dive a little into his history and development environment. Immediately warn you that this story is absolutely real.
Story
Only at first glance it seems that the task of the plug-in is elementary - in fact, it was necessary to implement a bunch of different masking options, take care that it worked with caching plugins, did not conflict with other content parsers, any permalink structures, each new version of Wordpress, and so Further. For about 8 years, I supported this plugin, responded to a bug report and sometimes debugged other sites, the gullible owners of which voluntarily gave me all the passwords and turnout.
At some point, it became clear to me that I have not solved the plugin for many years, I’m not interested in supporting its code, but I don’t get anything from its development. For reference, I will clarify that in the description and on the settings page of the plug-in there were unobtrusive links and buttons with the offer to make a voluntary donation - but in the entire history of the plug-in I received around $ 40. So there was no monetary motivation, development motivation, too, and somehow rather tired that every user for some reason thinks you owe him, since he did install your program or plug-in (it seems many users really think that as soon as they put the program, some kind of cloud spirit gives the developer a bag of money).
')
This is not to say that the world is unfair, and I poured bitter tears of offense - just to make it clear that for several years I supported this plugin only from the strange feeling that users trusted me and I cannot deceive them and stop supporting them. When I look back at these feelings now, I understand that it was a stupid feeling, and I had to calmly bury the plug-in and go about my business. But this is a sensation of me from 2018 - with the advent of two children, priorities change quite a lot.
Sale
And at some point a certain citizen came, who offered me a good amount of money for the purchase of a plug-in. Honestly, I was sure that it was some kind of kidalovo, and communicated with him exclusively out of curiosity (well, like with all sorts of Nigerian princes). Skepticism left when we agreed to use one trusted service for this kind of transactions. It was already interesting here - there was a feeling that they would pay me, but I suspected that some kind of vulnerability would quickly appear in the plugin, and therefore I specially prepared a letter to the wordpress support team to instantly block the plugin. But by that time, I almost believed that the plugin really wanted to be purchased to expand the portfolio of a company that is engaged in SEO optimization (this was exactly the motivation that was explained to me).
And you know what happened next? Then I honestly received the money transferred, and a few days later a major update came to the plugin, in which the interface was completely changed and the codebase was reworked (but compatibility was left) - so it became more like code from 2017, rather than 2010 (above this worked as a developer at least Middle level). I was terribly pleased - I found interested people who would support my toy, and who had already brought a lot of good into it, pleasing the users of the plugin.
Nevertheless, I watched the plug-in's code and updates for two weeks, keeping my finger on sending a letter to the wordpress team just in case. But everything was fine and I calmed down.
Vulnerability
I would like to stop at this place and end it as a success story, but alas. A few months later, the guys from a third-party wordpress security project contacted me and told me that there was a backdoor in the plugin, and they were interested in the details of how I transferred the rights to it to a new developer. After checking, I made sure that the plugin is really blocked on the wordpress site. Next, I corresponded with wordpress support, the brief results are as follows:
- They took from me all the information that might help in the incident;
- They didn’t want to tell me about the vulnerability for a long time, and had to look for it myself;
- My desire to help was ridiculed, and I was scolded with all sorts of bad words for the fact that I “sold the plugin to the spammer” and “loaded them with work” (literal quotes);
- After some time, wordpress employees themselves fixed the bookmark and sent it to me for a review (at least one positive point);
- The plug-in will remain blocked, and they will not transfer rights to it.
By the way, the bookmark turned out to be not an evil backdoor, but simply added some SEO links to unsuspecting users. Unpleasant, but not as fatal as it could be.
According to the results of communication:
- A lot of time was spent to eliminate the vulnerability due to the reluctance to cooperate with the technical support of wordpress
- Wordpress forever lost one of the plugins and a developer who will no longer be there to publish and update anything. It is unlikely that someone will regret it, but nonetheless.
UPD. At the request of those who have a plugin - a “tab” is in the versions of the plugin 4.2.0 - 4.2.2. Version 4.3 was fixed by wordpress support, versions before 4.0 were mine, and in versions 4.0.0 - 4.1.0, the “bookmark” was not added yet. Most likely, your blog has already updated the plugin to secure version 4.3.
findings
For me, the most interesting questions were “would I sell this plugin if I knew that it would be used maliciously?” And “would I do it again if I had an opportunity?”. On the one hand, I would like to believe that no. On the other hand, in fact, I have a choice between “keeping loyalty to people who did not even say thank you for using the results of my work” or “go on vacation with the children with the sea”. Well I do not know. The temptation is serious.
You can say that there are some reputational risks for me here, but ... I am not a company that can be dishonored all over the Internet. And I am not an icon of the development world, I am just one of the millions of developers who occasionally write something in open source. And to be honest - you can not lose a reputation that does not exist. It's amazing that after the sale of the plug-in at least one resource connected my name with it. So - no reputation toffee.
Separately, I note that, in the case when the risks relate to my commercial activity, the picture here is completely different. At my job I get paid money, and I have certain obligations. Repeatedly I received various offers of dubious nature, and I did not accept one — even when I knew that my intervention or data transfer could not be traced. Before commercial projects there is a completely different degree of responsibility - and, oddly enough, not only because they pay me money there, and because I signed 100,500 pieces of paper there. First of all, I feel responsible because they value me there, trust me, and this is shown. Therefore, I cannot betray the trust shown. And, returning to open source ... Here the picture is completely different. For example, in addition to plug-ins, I still have mobile apps. They are supported on several resources, including on w3bsit3-dns.com. And usually the user (I have several thousand of them) goes there to leave a message like “turd doesn’t work” (literal quotation). Well ... When the pull request comes to me after this with updating the binaries from the application dependencies, it is very difficult for me not to score on it or not to accept it blindly, but instead to rebuild it again with my own hands and put a new release.
Remember - no one owes you anything
I repeat - my goal is not to complain about how bad everything is, but just to remind you that in open source no one owes anything to anyone. And you need to take care of the security of any third-party components that you use. Starting from the physical server, where your projects are spinning (if you have an “acquaintance”, then anything is possible), continuing with front-line and back-end components, plug-ins, frameworks, CMS, and so on. And all the problems in the world are not solved by “entering card data into an iframe”, as suggested in a recent article.
What to do
What can you do besides watch your safety? At a minimum, you can be more responsible about the fact that you use the work of other developers. See what you are actively using right now. Buy a license for a broken web site two years ago. Pay for the cleverly obtained template that you used in a large order. Set up automatic redemption in favor of web developers. Stop already in each post of PVS Studio to write about how you heroically remove comments from your code in order to use this tool for free. Donate already $ 5 to the Android developer KeePass - he only asks for this on major holidays.
If there is no money, go to the issues and tell us about the problem, or send your pull request. Remember the error that you have in exotic conditions, repeat it and describe to the developer. Make a pull request from your fork, in which you fixed some kind of bug, and this fix is ​​just left with you.
If you have neither the money nor the opportunity to participate in the development - just go and say "thank you" to the developer. This, as you know, you will not be full - but even this pleases the developer and sometimes is an incentive to continue working. It's amazing that in oral communication it is customary to thank for what they are doing for you - but this rule is rarely used in open source development.
By the way, these rules apply not only to development. You can also take a rule - I liked the book read from torrents - buy it. Like music - take part in the crowdfunds of the new album. It seems to be so simple, but very few people do it. Let's help each other and the world will be better. And safer.
As for what you can do as a developer, immediately think about how to support your project. Maybe you can figure out how to get other developers involved. Or offer additional services - for example, support and debugging for a fixed price, or Enterprise solutions based on your project. For example, if I took at least $ 10 for supporting a plugin on user sites, then maybe I would have a good income that would allow not to sell the plugin and continue to develop it. Many consider the monetization of the project to be something bad and initially smelly, but in the end it only allows you to devote a lot of time to the project and take care of its quality.
I apologize for having spent so much of your time reading very obvious things - just experience shows that their obviousness doesn’t affect their application. And this plugin case made me think a lot. I hope you also found it interesting and useful.
Source: https://habr.com/ru/post/348142/
All Articles