back to article WordPress auto-update server had flaw allowing anyone to add anything to websites worldwide

Up to a quarter of all websites on the internet could have been attacked through a since-patched vulnerability that allowed WordPress' core update server to be compromised. The since-shuttered remote code execution flaw was found in a php webhook within api.wordpress.org that allows developers to supply a hashing algorithm of …

  1. W Donelson

    Welcome to the future. It's not safe.

    As complexity rises, so do opportunities for penetration.

    Felony charges against the highest-paid directors of software companies might focus their minds from THEIR BOATS to their customers, and the general public.

    1. Anonymous Coward
      Anonymous Coward

      Re: Welcome to the future. It's not safe.

      "As complexity rises, so do opportunities for penetration."

      There's a joke in there somewhere.

      About the complexities of the fairer gender. And how this explains everything.

    2. Ole Juul

      Re: Welcome to the future. It's not safe.

      I do think that users in general also need to start taking this a little more seriously. We've had computers and the internet for so long now yet many people have actively avoided getting a basic education. We learn arithmetic, grammar, and literature in school so we can actively take part in a society that uses those to understand and communicate with each other. Why not take the same interest in the basic workings of contemporary computer usage? Is that not part of what would be a basic education nowadays? I'm not saying we all need to become mathematicians or expert grammarians, but a basic understanding of the vocabulary of the times is not too much to ask.

      It's actually more basic than that. The world has never been a safe place. Most people learn to function in a public setting that includes shysters and con artists of all kinds. We know when others are dangerous or deceptive when we encounter them in person. It is not hard to transfer that knowledge to an on-line environment and at least take a little responsibility for one's own safety.

    3. a_yank_lurker

      Re: Welcome to the future. It's not safe.

      "Felony charges against the highest-paid directors" - After a few billions, fines and a couple years in the local Club Fed are chump change. Going to need something a bit harsher like seizure of assets plus a permanent vacation in Club Fed.

    4. PassiveSmoking

      Re: Welcome to the future. It's not safe.

      The problem is software is complex and with the best will in the world a non-trivial system is always going to contain bugs. You could take every possible precaution in your development process to avoid security holes and still end up with one exploitable bug in the system that may go unnoticed for years. Is it fair to toss people in jail for that? Especially given that most developers are fundamentally creative by nature and struggle to think in the same way a fundamentally destructively-minded hacker would and might not notice that the fantastic new feature they've just implemented could be hijacked and used for nefarious purposes?

      No, it's better to simply accept the fact that all software is going to be buggy to some extent and have mitigations in place to limit the damage that said bugs are capable of causing by compartmentalising systems so a compromise in module A doesn't allow you to cause further damage by manipulating the behaviour of module B.

      1. Anonymous Coward
        Anonymous Coward

        Re: Welcome to the future. It's not safe.

        Yeah. I already steer clear of e-commerce work because it's a minefield of 3rd-party shitware (including Wordpress plugins) and brain-damaged security regs. Add the direct threat of prison to the mix, don't be surprised when you can't even get Indian outsourcers to do the work.

      2. Charles 9

        Re: Welcome to the future. It's not safe.

        No, we can't accept that software WILL be vulnerable because that ALSO means we must accept that all software must be COMPLETELY vulnerable, essentially making it worse than useless, which means we'll have to go all Luddite back to the Sears catalog.

        1. PassiveSmoking

          Re: Welcome to the future. It's not safe.

          "No, we can't accept that software WILL be vulnerable because that ALSO means we must accept that all software must be COMPLETELY vulnerable"

          Like it or not, that's the reality we live in right now.

          Pretending it's not so will not change the fact that it is. Everything is vulnerable. Of course every care should be taken to avoid coding practices that lead to vulnerabilities, and of course every time a vulnerability is unearthed it should be fixed, but while we pretend that software isn't all vulnerable we won't design systems to be able to resist attack. When we accept that all software is vulnerable we'll start applying better practices such as compartmentalising it so the damage can be contained when somebody finds a way into a system that they shouldn't have access to for long enough to prevent the attacker gaining further access.

          It's like the ant colony that defends itself heavily around its perimeter with warrior ants but if you get past them you have unfitted access to the queen, the food stores, the nursery, etc etc.

          1. Charles 9

            Re: Welcome to the future. It's not safe.

            "When we accept that all software is vulnerable we'll start applying better practices such as compartmentalising it so the damage can be contained when somebody finds a way into a system that they shouldn't have access to for long enough to prevent the attacker gaining further access."

            But we also have to accept that any two modules that MUST interact with each other MUST also be a potential bridge for malware. Part and parcel. Plus there's always someone who will take the effort necessary to COLLECT everything they need, no matter how long it takes. Some hackers are bored, have the time to spare, and welcome a challenge, and hardened targets are as ostentatious as open doors to them. Compartmentalize and they'll just hit all the compartments. Separate privileges and they'll collect them. Like I said, if it's vulnerable, we have to assume someone WILL put forth the effort to wedge it into a full-on breach.

            1. PassiveSmoking

              Re: Welcome to the future. It's not safe.

              "Some hackers are bored, have the time to spare, and welcome a challenge, and hardened targets are as ostentatious as open doors to them"

              No question that there are people like that out there, but the era of the hacker who does it for the challenge being the norm is long past. The vast majority of hacking is done these days for profit, either by installing malware or spamvertising, spreading ransomware, etc. For this breed of hacker the value of hacking a system is inversely proportional to how much effort is needed. You might never be able to slam the door shut but you can make it tough enough to open to make it not worth it for the hacking-as-a-business brigade.

              1. Charles 9

                Re: Welcome to the future. It's not safe.

                But if the target is high enough value, even perceived value (say a beef against the company), then the effort could be justified. And there are no end to the grudges that can exist.

    5. EJ
      WTF?

      Re: Welcome to the future. It's not safe.

      Last I knew, WordPress is free software, so this 'rich corporate bastards' take is probably not very hot.

      1. ecofeco Silver badge

        Re: Welcome to the future. It's not safe.

        Last I knew, WordPress is free software, so this 'rich corporate bastards' take is probably not very hot.

        There are several tiers. The 1st tier IS free. You pay for fancy stuff from there on in.

        Estimated revenue for 2016 is $55 million. There is no "hot take" only facts.

  2. JeffyPoooh
    Pint

    And in related news...

    27.1% of the WWW are Wordpress sites... ???

    Are you fookin' serious?

    What next? AOL runs another 42%?

    1. Anonymous Coward
      Anonymous Coward

      Re: And in related news...

      Sadly, it could be possible. I haven't seen a shared host or "Website Builder" in the last 10 years that didn't give it as an option. But, Wordpress might mimick AOL in this number. If Wordpress is enabled but you never use it, that 1 lone URL with Wordpress might be counted toward the percentage. After all, if you use google once on your site, your site uses Google (regardless of how realistic the usage is).

      1. Anonymous Coward
        Mushroom

        Re: And in related news...

        I believe it. Wordpress isn't something you "enable" on a website, it IS the website. If it's 27% of all sites, it may be over 50% of sites that people actually use. Blogs, corporate, government, banks, news media, even "venerable" sites like Wired. Hit "view source" on any site you happen to be viewing, chances are you'll find telltale "wp-" crap strewn all over.

    2. ecofeco Silver badge

      Re: And in related news...

      I've seen many, MANY businesses use Wordpress as their official website.

      Which is insanity. The Wordpress admin console is the biggest pile of shit I have ever had the displeasure to have to use. The plug ins and add-ons even worse. It defines "non-intuitive" yet the average user doesn't really have much better choices in website builders, will not search for one as they do not have the knowledge and many hosts either offer a crappy one of charge for it.

      That said, I'm currently playing with a new website builder called Mobirise, which has got to the simplest website builder I have ever seen and seems perfect for individuals and small businesses.

      But let's face it, most people are not going to pay for a website designer nor learn, say Dreamweaver Adobe Creative Suite. Wordpress then becomes the default.

      1. a_yank_lurker

        Re: And in related news...

        "I've seen many, MANY businesses use Wordpress as their official website." - HTML and CSS combined with judicious usage of a JavaScript (aka JackassScript) and a server side language with a solid framework (Python/Django or Ruby/Rails, e.g.) might be smarter. None of these are terribly difficult to learn well with a little bit of effort. And you have more control over the final result.

        1. David Austin

          Re: And in related news...

          "None of these are terribly difficult to learn"

          For someone technically minded or has a hobbyist interest: no, it's not.

          For a Startup or SMB owner, who has limited time and funds, which have to be used just to keep the business going, it's additional aggravation they don't need if they just want a splash page or a link over to PayPal or SagePay.

          Heck, even a Blogger who's more interested in the message than the medium can use the same argument.

          Put in that context, WordPress, with a retentively simple point and click setup, and thousands of themes and styles ready to go, makes perfect sense.

          1. Charles 9

            Re: And in related news...

            "For someone technically minded or has a hobbyist interest: no, it's not."

            Then they shouldn't be risking other people's computers putting an unsafe product out on the web. That's why we have people take tests before they get their driver's licenses, tougher tests for commercial licenses. If you're going to run a business out on the web, one should be able to know how to handle it him or herself, AND they MUST assume legal responsibility for any faults that are traced to them, just as accidents can have liability attached. Unlike requiring a license to run a web browser, requiring a license to run a business (and this IS a business) has justification because it services the public.

            "It depends. Aside from the learning curve for the average SMB owner, the problem with rolling your own is that you are then entirely responsible for maintaining it, including finding and fixing any vulnerabilities (or even just run of the mill bugs) you might have accidentally introduced."

            Just like running a brick & mortar business. You have responsibilities.

            "It also makes things like server refresh a pain as you'll have to take your codebase into account."

            So does moving.

            "That's more responsibility than your average SMB wants to take on."

            There's a big difference between WANTING to take it on and NEEDING to take it on.

        2. Ben Tasker

          Re: And in related news...

          > HTML and CSS combined with judicious usage of a JavaScript (aka JackassScript) and a server side language with a solid framework (Python/Django or Ruby/Rails, e.g.) might be smarter.

          It depends. Aside from the learning curve for the average SMB owner, the problem with rolling your own is that you are then entirely responsible for maintaining it, including finding and fixing any vulnerabilities (or even just run of the mill bugs) you might have accidentally introduced.

          It also makes things like server refresh a pain as you'll have to take your codebase into account.

          That's more responsibility than your average SMB wants to take on. Off-the-shelf increases the number of people looking for holes and bugs , and someone else will likely fix those for you.

          On the flip-side, of course, the obscurity it brings does have a little bit of benefit. You won't get pwned when someone starts a script to find WP sites and use their latest 0-day on them. But if you're specifically targeted then rolling-your-own might well lead to you being an easier target.

        3. Anonymous Coward
          Anonymous Coward

          Re: And in related news...

          " None of these are terribly difficult to learn well with a little bit of effort."

          Have you ever tried explaining your job to your parents/grandparents?

          OK, now explain to them how to write code.

          I have seen so many intelligent people struggle to even understand the difference between pasting a URL as text and pasting it as a link, that your suggestion that these things are not difficult to learn for the world of plumbers and carpenters and child minders who want a website is akin to saying Trump is not going to be a terribly bad president.

          1. Anonymous Coward
            Anonymous Coward

            Re: And in related news...

            > Have you ever tried explaining your job to your parents/grandparents?

            Please do not use that silly "your mom could use it" metaphor. For all you know he is the son of Tim Berners-Lee and grandson of Brian Kernighan.

        4. Anonymous Coward
          Anonymous Coward

          Re: And in related news...

          > (Python/Django or Ruby/Rails, e.g.) might be smarter.

          Not in the hands of a typical Wordpress developer. The web is a security minefield. Anything with a web-based control panel is wide open. Every major framework and CMS regularly emits patches for embarrassing vulns. They don't get exploited as often as Wordpress because they don't run 27% of the web.

    3. Anonymous Coward
      Anonymous Coward

      Re: And in related news...

      >What next? AOL runs another 42%?

      Since Zuckerberg is essentially reverse-engineering AOL's business model circa 1998 that's not far from the truth. There's a whole cohort of 'internet users' who don't go near web browsers let alone WordPress sites.

    4. Stuart 22

      Re: And in related news...

      27.1% of the WWW are Wordpress sites... ???

      I assume it is the percentage of websites that didn't update to 4.6.1 or equivalents on 7th September and presumably vulnerable to this attack. I would have thought that percentage would have been higher with the number of folks who resist auto-update for good or bad reasons.

  3. This post has been deleted by its author

  4. wolfetone Silver badge

    You know, if you told me this in 2015 I'd have been shocked. But it's 2016, we've lost Bowie, Prince and the ability to remain sane and make sane decisions. So right now, after reading this article, all I can think is "nothing new here then".

  5. CAPS LOCK

    "HTML and CSS combined with judicious usage of a JavaScript..."

    Or you could try Serif Webplus. There's a free, page limited, version and it's very easy to use. No connection with Serif, just a satisfied user.

    1. knottedhandkerchief

      Re: "HTML and CSS combined with judicious usage of a JavaScript..."

      Serif Webplus would be useful for an individual responsible for a website. It's not a CMS or blogging platform - you can't login online to the website and update or add pages, posts there. I'm sticking with WordPress as "better the devil you know", using Updraft Plus for pushing daily backups (keeping several historical copies in case intrusion not detected early enough) so can recover quickly if it is compromised. I look after about 50 sites and never had a single incident - probably due to using only the most well-known and maintained plugins, and update frequently.

      The ability to recover is essential. Far too many WP sites have no backup whatsoever - the slightest compromise means rebuilding from scratch - have just taken over such an incident, painful.

  6. Mage Silver badge
    Big Brother

    api.wordpress.org to be the single point of failure

    Even with signing, an update server might be compromised. The concept of infiltration of update servers (using some other method) is worrying:

    Linux, Windows, iOS etc.

    Yes, WP org have made a mistake, but even if they hadn't there is still a single point of vulnerability.

  7. Hans Neeson-Bumpsadese Silver badge

    I used to provide unpaid IT support to a friend of mine to help him with some of his ventures. The day he decided that he wanted to use WordPress for his website I told him "you're on your own"....way too many vulnerabilities and issues for me to want to get involved with keeping him safe from.

    1. ecofeco Silver badge

      I've done the same. Every time I try to help a friend with Wordpress, there is always, ALWAYS some undocumented glitch.

      It gets worse when they pick a fancy template.

  8. Anonymous Coward
    Anonymous Coward

    Signed updates

    I'm shooting from the hip here, but if I had to deal with this issue my first thought would be to use the OS' update mechanism (for Linux-based systems, I do not know what Apple or BSD use) and set up a repository for my updates, as many companies already do. Ideally, my updates would be integrated into the distro's standard repos.

    I have given this literally 30 seconds of thought so I may be way off base, but the fundamental idea is: avoid rolling out my own update technology by any means possible, use what is already out there.

    1. Charles 9

      Re: Signed updates

      Then what happens WHEN (not IF) THAT update mechanism gets compromised. Sounds like a Catch-22 if you ask me. The ONLY way to prevent stale exploits is unavoidably exploitable.

      1. AdamWill

        Re: Signed updates

        Most distros are a hell of a lot better at update security than Wordpress was, if the description here is accurate. At least we sign our goddamn updates.

        1. Anonymous Coward
          Anonymous Coward

          Re: Signed updates

          Slight problem... Debian's Wordpress package maintainers take several days to merge urgent security updates from upstream, and they usually break it. Debian-based distros include the same package. Others (Arch, Fedora, FreeBSD) don't have an official Wordpress package.

          1. Anonymous Coward
            Anonymous Coward

            Re: Signed updates

            > and they usually break it.

            Sounds like Debian all right. I moved away from it years ago (even before the SSH fiasco) precisely because of the package maintainers habit of playing "we know better than the devs" (if your patches were not accepted by upstream, there might well be a reason).

            Anyway, just ranting.

        2. Charles 9

          Re: Signed updates

          Updates are signed here, too, but the miscreants found a way to bypass it. What's to say it's not possible with any other update mechanism on the planet? Plus there's always the threat of insiders, especially if the target is high enough value.

          1. Anonymous Coward
            Anonymous Coward

            Re: Signed updates

            > Updates are signed here, too, but the miscreants found a way to bypass it. What's to say it's not possible with any other update mechanism on the planet?

            It is perfectly possible. But since their use is that of any other form of software update, it would make sense to reuse the existing mechanisms, thereby reducing the unknowns and benefiting from a larger community of developers, apart from having a smaller attack surface on the product itself (by shifting some of the risk elsewhere). There are also some risks, such as the increased value as an exploitation target of a popular mechanism, as you point out; however, it appears than in this case WordPress is high enough value already while their home-cooked updates mechanism wasn't quite up to scratch.

            1. Charles 9

              Re: Signed updates

              "But since their use is that of any other form of software update, it would make sense to reuse the existing mechanisms, thereby reducing the unknowns and benefiting from a larger community of developers, apart from having a smaller attack surface on the product itself (by shifting some of the risk elsewhere)."

              Unless you DON'T TRUST them.

              1. Anonymous Coward
                Anonymous Coward

                Re: Signed updates

                > Unless you DON'T TRUST them.

                I agree, Charles, but I do not understand where you're trying get at. Is that a general comment or concerning this particular case?

  9. cd

    Auto-update can be disabled. I did that to all the sites I manage after one failed partway and displayed only white screen. Happened when they first came out with it, no notice that I saw that they were implementing it "for my own good".

    I suggested that it be optional in the GUI instead of requiring lines to be commented out; the reply I got from the founder was that they wanted everyone patched. The irony being that the sites that updated correctly sent me an email that they had, but the site that failed didn't send anything.

    Truth is that most WP users can barely handle logging in and adding content. Some of my users have needed me to do that as well, they just want a site. I'm happy to enable one more person to not be using Facebook and having more control over their content.

    Wordfence was a great security tool that has turned into a mirror of Wordpress, more features piled on and the core functionality that made it useful is degraded with every update. This piece smells a little like Symantec alerting us all to a new dangerous virus in a press release. And the Reg pimping it "just for clicks".

  10. AdamWill

    Not quite 'all' wordpress servers

    "Attackers that used the exploit could then send URLs to the WordPress update servers that would be accepted and pushed out to all WordPress sites."

    Well, not quite all. If you're using an OS distribution's wordpress package, it probably has the auto-update mechanism disabled, so you won't be vulnerable to this. I'd think.

  11. keithpeter Silver badge
    Windows

    Just don't

    Read this from Maciej Cegłowski.

    I found that I was spending more time updating a WordPress installation on my shell account than actually posting, so I started using markdown and hacked up a few perl scripts to push static html pages out using lftp.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just don't

      > Read this from Maciej Cegłowski.

      Cool blog from that one!

      Interestingly, he seems to have re-"re-invented" static websites a few years before the Github bloke, whatsisface Jekyll.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like