The history of hacking one WordPress plugin - or how you allow vulnerabilities in your projects

    A long time ago, when I was young and wrote websites in PHP, I wrote an SEO plugin to mask external links for Wordpress. Since I have a bad imagination, I called it WP-NoExternalLinks. Throughout its history, it had 360,000 installations and, it seems, up to 50,000 active installations.

    Further I will tell you exactly how it fell into dishonest hands and was maliciously used - but for this you will have to dive a little into its history and development environment. I’ll immediately warn you that this story is absolutely real.


    History


    Only at first glance it seems that the task of the plugin is elementary - in fact, you had to implement a bunch of different masking options, make sure that it works with caching plugins, does not conflict with other content parsers, any permalink structures, every new version of Wordpress, and so on. Further. For about 8 years I supported this plugin, responded to bug reports and sometimes debugged other people's sites, the trusting owners of which voluntarily gave me all the passwords and appearances.

    At some point, it became clear to me that I hadn’t solved my tasks with a plug-in for many years, I was not interested in maintaining its code, and I didn’t get anything else from its development. For reference, I’ll clarify that in the description and on the plugin’s settings page there were unobtrusive links and buttons with a proposal to make a voluntary donation - but in the history of the plugin I received around $ 40. So there was no monetary motivation, no motivation for development either, and somehow tired of it, that each user for some reason believes that you owe him, because he did install your program or plug-in (it seems that many users really think that as soon as they install the program, some kind of cloudy spirit gives the developer a bag of money).

    This is not to say that the world is unfair, and I shed bitter tears of resentment - just to make it clear that for several years I supported this plugin solely from the strange feeling that users trusted me, and I can’t deceive them and stop supporting them. When I look back at these feelings now, I understand that it was a stupid feeling, and it was necessary to calmly bury the plug-in and go about my business. But this is the feeling of me from 2018 - with the advent of two children, the priorities change quite a lot.



    Sale


    And at some point, a certain citizen came, who offered me a good amount of money for the purchase of the plugin. Honestly, I was sure that this was some scam, and I talked with him exclusively out of curiosity (well, like with all sorts of Nigerian princes). Skepticism left when we agreed to use one trusted service for this kind of transaction. It was already interesting here - there was a feeling that they would pay me, but I suspected that some kind of vulnerability would quickly appear in the plugin, and therefore I specially prepared a letter to the wordpress support team in order to instantly block the plugin. But by that time I almost believed that they really want to buy a plug-in to expand the portfolio of a company that is engaged in SEO optimization (it was with this motivation that they explained to me).

    And you know what happened next? Then the transferred money honestly came to me, and a few days later a major update came in the plugin, in which the interface was completely changed and the code base was reworked (but compatibility was left) - so it became more like the code from 2017 rather than 2010 (above the developer of at least the Middle level worked for this). I was terribly happy - I found interested people who will support my toy, and who have already brought a lot of good things to it, delighting users of the plugin.

    Nevertheless, for two weeks I looked at the plugin code and its updates, just in case, keeping my finger on sending an email to the wordpress command. But everything was fine and I calmed down.



    Vulnerability


    I would like to stop at this place and end it as a success story, but alas. A few months later, guys from a third-party wordpress security project contacted me and told me that a backdoor appeared in the plugin, and they are interested in the details of how I transferred the rights to it to a new developer. After checking, I made sure that the plugin is really blocked on the wordpress site. Then I corresponded with wordpress support, brief results are as follows:

    • They received from me all the information that could help in the incident;
    • For a very long time they did not want to tell me information about the vulnerability, and they had to look for it themselves;
    • My desire to help was ridiculed, and they scolded me with all sorts of bad words for “selling the plug-in to the spammer” and “loading them with work” (verbatim quotes);
    • After a while, the wordpress staff corrected the bookmark themselves and sent me a review (at least one positive point);
    • The plugin will remain blocked, and they will not transfer rights back to it.

    By the way, the bookmark was by no means an evil backdoor, but simply added a few SEO links to unsuspecting users. Unpleasant, but not as fatal as it could be.

    According to the results of communication:
    • It took a lot of time to fix the vulnerability due to the reluctance to cooperate with technical support wordpress
    • Wordpress forever lost one of the plugins and the developer who will no longer publish and update anything there. It is unlikely that anyone will regret it, but nonetheless.


    UPD At the request of those who have the plugin - a “bookmark” is in the versions of the plugin 4.2.0 - 4.2.2. Version 4.3 was fixed with wordpress support, versions prior to 4.0 were mine, and in versions 4.0.0 - 4.1.0 the "bookmark" has not yet been added. Most likely, your blog has already updated the plugin to safe version 4.3.

    conclusions


    For me, the most interesting questions were “would I sell this plugin if I knew that they would use it maliciously?” And “will I do it again if there is an opportunity?”. On the one hand - I would like to believe that no. On the other hand - in fact, I have a choice between “keeping loyalty to people who didn’t even say thank you for using the results of my work” or “going with children on vacation at sea”. Well I do not know. The temptation is serious.



    We can say that for me there are some kind of reputation risks, but ... I am not some kind of company that can be dishonored all over the Internet. And I am not an icon of the development world, I am just one of the millions of developers who periodically write something in open source. And let's be honest - you can’t lose a reputation that doesn’t exist. It's amazing that after selling the plugin at least one resource associated my name with it. So - no reputation butterscotch.

    Separately, I note that, in the case when the risks relate to my business, then the picture here is completely different. At my work, they pay me money, and I have certain obligations. Repeatedly I received various offers of a dubious nature, and I did not accept a single one, even when I knew that my interference or data transfer could not be tracked in any way. Before commercial projects, a completely different degree of responsibility - and, oddly enough, not only because I get paid there, and because I signed 100,500 pieces of paper there. First of all, I feel responsible because they value me, trust me, and this is shown. Therefore, I cannot betray the trust placed. And, returning to open source ... Here the picture is completely different. For example, in addition to plugins, I also have mobile applications. They are supported on several resources, including w3bsit3-dns.com. And usually the user (I have several thousand of them) goes there to leave a message like “turd does not work” (literal quote). Well ... When after that I receive a pull request with updating the binary from the application dependencies, it is very difficult for me not to hammer on it or not to accept it blindly, but instead rebuild it again with my own hands and lay out a new release.

    Remember - no one owes you anything


    I repeat - my goal is not to complain about how bad everything is, but just to remind you that no one owes anything to open source. And you need to take care of the security of any third-party components that you use. Starting from the physical server, where your projects are spinning (if you have it “by acquaintance”, then anything is possible), continuing with front-and-back components, plug-ins, frameworks, CMS and so on. And all the problems in the world are not solved by “entering card data into an iframe”, as suggested in a recent article.

    What to do


    What can you do besides monitoring your safety? At a minimum, you can be more responsible about the fact that you use the work of other developers. See what you are actively using right now. Buy a license for a broken web storm two years ago. Pay for the cunningly received template that you used in a large order. Set up automatic debit for webpack developers. Stop writing in every PVS Studio post about how you heroically remove comments from your code in order to use this tool for free. Donate already $ 5 to the Android developer KeePass - he asks for this only on big holidays.

    If there is no money, go to issues and talk about the problem, or send your pull request. Remember the error that you have in exotic conditions, repeat it and describe to the developer. Make a pull request from your fork in which you fixed some kind of bug, and this fix remained with you only.

    If you don’t have the money or the opportunity to participate in the development, just go in and say “thanks” to the developer. As you know, you won’t be fed up with it - but even this pleases the developer and is sometimes an incentive to continue working. It is amazing that in oral communication it is customary to thank for what they do for you - but this rule is so rarely applied in open source development.



    By the way, these rules apply not only to development. You can also make it a rule - I liked a book read from torrents - buy it. Like music - take part in the crowdfunding of the new album. It seems to be so simple, but few people do it. Let's help each other and the world will become better. And safer.

    And as for what you can do as a developer, immediately think about how to provide support for your project. Maybe you can figure out how to get other developers involved. Or offer additional services - for example, support and debugging at a certain fixed price, or Enterprise solutions based on your project. For example, if I took at least $ 10 for the support of the plugin on user sites, then perhaps I would have a good income that would allow me not to sell the plugin and continue to develop it. Many consider the monetization of the project to be something bad and initially odorous, but in the end only it allows you to devote a lot of time to the project and take care of its quality.

    I apologize that I spent so much of your time reading absolutely obvious things - just experience shows that their evidence does not affect their application in any way. And this case with the plugin made me think a lot. I hope you were also interested and useful.

    Only registered users can participate in the survey. Please come in.

    Would you sell your open source development?

    • 21% Yes, if I am 100% confident in the reliability of the buyer 54
    • 10.8% Yes, if I am almost sure of the reliability of the buyer 28
    • 47.8% Yes, if they offer me a lot of money and there seems to be no obvious signs of evil intentions 123
    • 40.8% Yes, if they offer me a lot of money, I will sell it to anyone 105
    • 5.8% Yes, for any amount 15
    • 7.3% No, I will support her until death do us part 19

    Also popular now: