Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday April 17 2019, @01:46PM   Printer-friendly
from the and-he-shall-rain-down-fire-and-brimstone dept.

Ars Technica is running an article about a "Self-proclaimed security provider" who has released exploits for three separate Zero day vulnerabilities within plugins used in the WordPress (an open-source content management system) software ecosystem.

According to the Ars Technica article:

Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

In-the-wild exploits against Social Warfare, a plugin used by 70,000 sites, started three weeks ago. Developers for that plugin quickly patched the flaw but not before sites that used it were hacked.

All three waves of exploits caused sites that used the vulnerable plugins to surreptitiously redirect visitors to sites pushing tech-support scams and other forms of online graft. In all three cases, the exploits came after a site called Plugin Vulnerabilities published detailed disclosures on the underlying vulnerabilities. The posts included enough proof-of-concept exploit code and other technical details to make it trivial to hack vulnerable sites. Indeed, some of the code used in the attacks appeared to have been copied and pasted from the Plugin Vulnerabilities posts.

The author also pointed out that 11 days passed between the disclosure of the Yuzo Related Posts zeroday and the first known reports it was being exploited. Those exploits wouldn't have been possible had the developer patched the vulnerability during that interval, the author said.

Asked if there was any remorse for the innocent end users and website owners who were harmed by the exploits, the author said: "We have no direct knowledge of what any hackers are doing, but it seems likely that our disclosures could have led to exploitation attempts. These full disclosures would have long ago stopped if the moderation of the Support Forum was simply cleaned up, so any damage caused by these could have been avoided, if they would have simply agreed to clean that up."

[...] The crux of the author's beef with WordPress support-forum moderators, according to threads such as this one, is that they remove his posts and delete his accounts when he discloses unfixed vulnerabilities in public forums. A recent post on Medium said he was "banned for life" but had vowed to continue the practice indefinitely using made-up accounts. Posts such as this one show Plugin Vulnerabilities' public outrage over WordPress support forums has been brewing since at least 2016.

Ars Technica goes on to editorialize:

To be sure, there's plenty of blame to spread around recent exploits. Volunteer-submitted WordPress plugins have long represented the biggest security risk for sites running WordPress, and so far, developers of the open source CMS haven't figured out a way to sufficiently improve the quality. What's more, it often takes far too long for plugin developers to fix critical vulnerabilities and for site administrators to install them. Warfare Plugins' blog post offers one of the best apologies ever for its role in not discovering the critical flaw before it was exploited.

But the bulk of the blame by far goes to a self-described security provider who readily admits to dropping zerodays as a form of protest or, alternatively, as a way to keep customers safe (as if exploit code was necessary to do that). With no apologies and no remorse from the discloser—not to mention a dizzying number of buggy, poorly-audited plugins in the WordPress repository—it wouldn't be surprising to see more zeroday disclosures in the coming days.

A weakness of community developed software, which is also its biggest strength, is that profit is not the motive. As such, developers may or may not be responsive to reports of security vulnerabilities.

So where do Soylentils fall on this? Is the guy who disclosed the vulnerabilities without reporting them to the developers first most at fault for site compromises, or are the plugin developers who failed to patch their code in a timely fashion the real villains?


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @02:30PM

    by Anonymous Coward on Wednesday April 17 2019, @02:30PM (#831037)

    It's more like a set of guidelines...

  • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @02:44PM (6 children)

    by Anonymous Coward on Wednesday April 17 2019, @02:44PM (#831049)

    On one hand, the researcher is not following the responsible disclosure... tradition? set of informal rules? discoursive praxis?

    On the other hand, if he has 0days, it is his prerogative to do whatever the fuck he decides to do with them.

    Who made the error? Developer. Who is not smart enough to make code with no exploitable flaws? Developer.

    This assumption, that we all have to play nice OR ELSE WE PUNISH YOU, is not constructive.

    Who did not listen? Developer.

    Who must suffer in this situation? The one with most hubris and least intelligence, Developer.

    It is regrettable, but no one can force a researcher to do as they wish, without presenting a credible threat first?

    As a developer, you are literally at his mercy, and maybe its best not to antagonize?

    Maybe its best to submit and enjoy the submission? Oh my, look at the size of that ego.

    • (Score: 1, Informative) by Anonymous Coward on Wednesday April 17 2019, @03:03PM (5 children)

      by Anonymous Coward on Wednesday April 17 2019, @03:03PM (#831064)

      As a developer, you are literally at his mercy, and maybe its best not to antagonize?

      Don't antagonize him? Why, is he going to reveal a -1day vulnerability? He can't do worse than he already is.

      Maybe its best to submit and enjoy the submission?

      Submit? Fuck that. You fix whatever needs to be fixed and fight each and every day.

      • (Score: 1) by fustakrakich on Wednesday April 17 2019, @03:21PM (4 children)

        by fustakrakich (6150) on Wednesday April 17 2019, @03:21PM (#831078) Journal

        Submit? Fuck that.

        You do see the difficulty, right?

        --
        La politica e i criminali sono la stessa cosa..
        • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @04:30PM (3 children)

          by Anonymous Coward on Wednesday April 17 2019, @04:30PM (#831129)

          Nothing is easy. Keeping sites secure is hard. Keeping clients who want to use WP safe from themselves is harder still.

          • (Score: 1) by fustakrakich on Wednesday April 17 2019, @04:36PM (2 children)

            by fustakrakich (6150) on Wednesday April 17 2019, @04:36PM (#831132) Journal

            You still have to submit

            --
            La politica e i criminali sono la stessa cosa..
            • (Score: 0) by Anonymous Coward on Thursday April 18 2019, @03:09AM (1 child)

              by Anonymous Coward on Thursday April 18 2019, @03:09AM (#831480)

              You may have to submit, but that is your inherent weakness. We do not submit. Security is serious business. We prepare, we take things head on, and we fight fight fight (much like Itchy and Scratchy, but without a theme song).

              If you want to submit you can go right ahead. Not us.

              • (Score: 1) by fustakrakich on Thursday April 18 2019, @03:44AM

                by fustakrakich (6150) on Thursday April 18 2019, @03:44AM (#831493) Journal

                We do not submit.

                It's too late. You already have.

                --
                La politica e i criminali sono la stessa cosa..
  • (Score: 5, Interesting) by RS3 on Wednesday April 17 2019, @04:25PM (13 children)

    by RS3 (6367) on Wednesday April 17 2019, @04:25PM (#831124)

    I think the disclosing person was in the wrong, expressing frustration with the whole system and how much the world has come to accept buggy code (and hardware). I understand and share his frustration, but it's not okay to cause damage and destruction. Better he would fix the code and release his own version.

    • (Score: 3, Interesting) by NotSanguine on Wednesday April 17 2019, @04:41PM (6 children)

      by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Wednesday April 17 2019, @04:41PM (#831138) Homepage Journal

      I think the disclosing person was in the wrong, expressing frustration with the whole system and how much the world has come to accept buggy code (and hardware). I understand and share his frustration, but it's not okay to cause damage and destruction. Better he would fix the code and release his own version.

      An excellent point, IMHO. If what the Ars article suggests is true: that this guy started doing this to "punish" the WordPress community for ostracizing him after he *repeatedly* posted vulns/exploits to WordPress discussion sites, then he's definitely way off the reservation.

      That said, it brings up a larger point about how (or if) FOSS code is maintained in the absence of a profit model. As we all know, most FOSS is developed by folks who have a problem to be solved or an itch to be scratched. Often those folks move on to other things and don't have the time (or inclination) to support that code.

      Especially in the arena of CMS [wikipedia.org], where many users of the technology don't have the skills to fix bugs even if there is an impetus (broken functionality, vulnerabilities, etc.) to do so.

      As a counterexample, with development libraries and tools, the user base is both motivated *and* competent to do maintenance/fixes/feature enhancements.

      I don't have a good solution to the problem but, as time goes by, we'll need to find some or we're going to have either lots more problems, corporate takeovers of "important" tools/software (cf. Linux), or both.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
      • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @06:20PM (5 children)

        by Anonymous Coward on Wednesday April 17 2019, @06:20PM (#831193)

        An excellent point, IMHO. If what the Ars article suggests is true: that this guy started doing this to "punish" the WordPress community for ostracizing him after he *repeatedly* posted vulns/exploits to WordPress discussion sites, then he's definitely way off the reservation.

        As I see it, the whole "responsible disclosure" rigamarole is an issue of politeness. Not tradition, rule or even law. It arose from a desire to get companies to fix their shit, so that eventually the vulnerability was released, while not leaving the users in the lurch.

        If I don't have respect for the software, the company it came from, or the users, I would feel no hesitation to release the details. I'm thinking of software like M$ Windoze, SystemD, PHP, or WordPress here.

        • (Score: 3, Interesting) by NotSanguine on Wednesday April 17 2019, @06:47PM (3 children)

          by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Wednesday April 17 2019, @06:47PM (#831216) Homepage Journal

          If I don't have respect for the software, the company it came from, or the users, I would feel no hesitation to release the details. I'm thinking of software like M$ Windoze, SystemD, PHP, or WordPress here.

          I take your point, but it's not the developers who take the hit. It's the users of said software. Should *they* be punished because you don't like the publishers of certain software packages?

          Out of curiosity, if you have issues with a piece of software or certain developers, why would you take that out on users? That seems rather sociopathic. Do you just see other humans as objects to be manipulated? Don't you have enough respect for yourself to see the value in respecting others?

          The developers will just (maybe) fix vulnerabilities and move on, without any real impact on them. However, lots of users (who you don't and never will know, and who certainly never did you any harm) will likely get pwned, potentially resulting in losses of money and good will.

          That doesn't seem to be a reasonable strategy to negatively impact software developlers to me. It just seems like a dick move by assholes who crave self-aggrandizement and decide to do so at the expense of end users.

          That said, *custom* calls for private disclosure to developers, with public disclosure coming either *after* patches are available or a refusal to acknowledge or fix the problem by the developers.

          No. There's no "law" that says you have to do that, just as there's no law saying that you should say "please" and "thank you" in normal interactions with others.

          I tell you what, why don't you do a little experiment: Whenever you interact with other humans, instead of saying "hello" or "please" or "thank you" when custom suggests you should do so, say "fuck you!" or "Suck my balls, asshole!" or something similar. I wonder how well that will work out?

          --
          No, no, you're not thinking; you're just being logical. --Niels Bohr
          • (Score: 3, Interesting) by Azuma Hazuki on Wednesday April 17 2019, @07:23PM (1 child)

            by Azuma Hazuki (5086) on Wednesday April 17 2019, @07:23PM (#831256) Journal

            Sometimes the developers don't give a shit. And sometimes the only way to get them to give a shit is to make sure that their code has real-world consequences. It's not nice, no, and I don't like the idea of harming innocents, either. But if the zero days exist, they are going to be exploited sooner or later,

            Were I in his position I'd start by fixing the vuln and submitting patches, with an explicit warning that if they are not taken up and applied, in X days I will go public, and will also post any relevant email or message board threads detailing the utter lack of shitsgiving on the side of said developers.

            --
            I am "that girl" your mother warned you about...
            • (Score: 3, Interesting) by NotSanguine on Wednesday April 17 2019, @11:22PM

              by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Wednesday April 17 2019, @11:22PM (#831384) Homepage Journal

              Reasonable points all.

              And vulnerabilities being disclosed without published patches has been done a bunch of times, usually because the developer doesn't respond in a timely fashion.

              At which point, there's not much else to do, unless you want to fork the codebase. Which then makes you responsible for fixing the bugs.

              --
              No, no, you're not thinking; you're just being logical. --Niels Bohr
          • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @09:53PM

            by Anonymous Coward on Wednesday April 17 2019, @09:53PM (#831337)

            I take your point, but it's not the developers who take the hit. It's the users of said software. Should *they* be punished because you don't like the publishers of certain software packages?

            I just don't care. I do not care for vain asses who put up a WordPress site. I have no pity with corporations who mandate Windoze because the CIO got a lunch with Bill Gates. I hope that the outcry of owned SystemD users will cause complacent heads to roll in Big Linux.

        • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @07:39PM

          by Anonymous Coward on Wednesday April 17 2019, @07:39PM (#831269)

          John Michael Grillot, is that you?

    • (Score: 2) by Runaway1956 on Wednesday April 17 2019, @06:53PM (5 children)

      by Runaway1956 (2926) Subscriber Badge on Wednesday April 17 2019, @06:53PM (#831222) Journal

      +3 interesting. Yeah, that's fair. I still disagree. If Microsoft writes code that sucks ass, and makes us all vulnerable, SOMEONE is going to discover it, eventually. In which case, it is MICROSOFT who caused the harm, when the vulnerability is exposed for the world to see.

      Better that he fix the code, and release it? I like that idea, but damned near everyone in the world copyrights, patents, and places restrictive licenses on their software. Releasing a better version of crap sofware is likely to land you in court, then in prison.

      • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @07:37PM (2 children)

        by Anonymous Coward on Wednesday April 17 2019, @07:37PM (#831266)

        damned near everyone in the world copyrights, patents, and places restrictive licenses on their software. Releasing a better version of crap sofware is likely to land you in court, then in prison.

        You do realize we're talking about FOSS here, right?

        • (Score: 2) by Runaway1956 on Wednesday April 17 2019, @08:09PM (1 child)

          by Runaway1956 (2926) Subscriber Badge on Wednesday April 17 2019, @08:09PM (#831283) Journal

          Yeeeees, in this case, we're talking about FOSS. But 0-days aren't exclusive to FOSS.

          • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @11:28PM

            by Anonymous Coward on Wednesday April 17 2019, @11:28PM (#831388)

            Yeeeees, in this case, we're talking about FOSS. But 0-days aren't exclusive to FOSS.

            Fair enough. But you said:

            damned near everyone in the world copyrights, patents, and places restrictive licenses on their software.

            And that's not even *close* to being true. I know it's hard to think clearly through that haze of meth [convio.net], but this isn't a political topic, so you can turn off your usual outrage -- if you can even do that any more.

      • (Score: 3, Informative) by RS3 on Wednesday April 17 2019, @09:18PM (1 child)

        by RS3 (6367) on Wednesday April 17 2019, @09:18PM (#831311)

        The article, unless I'm misreading it, is about 2 free open-source WordPress plugins, and my post was in that context (not proprietary / closed-source).

        > Better that he fix the code, and release it? I like that idea, but damned near everyone in the world copyrights, patents, and places restrictive licenses on their software. Releasing a better version of crap sofware is likely to land you in court, then in prison.

        Oops- forgot to apply parking brake- another one drifting downhill, running away!

        You might not be familiar with some of the open-source licenses. The general gist is: you're free to modify and redistribute the modified code, but it must remain open-source, must clearly state and display that it has been changed, retain the original credits, etc.

        Just to be sure before posting this, I downloaded the "Yellow Pencil" plugin and read the GPL license. Again, I really don't know how a court would interpret it, but it is as I described. IANAL, but I'm sure you know that no contract can usurp established laws, codes, or case precedent, so again, it's up to courts to interpret these licenses under existing laws.

  • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @10:29PM (2 children)

    by Anonymous Coward on Wednesday April 17 2019, @10:29PM (#831360)

    Has anyone inquired into this researcher's religious affiliation? It's suspicious that he disclosed vulnerabilites without reporting them first, almost as if he had declared a war against WordPress because the program wasn't endorsed by his holy texts.

    • (Score: 0) by Anonymous Coward on Wednesday April 17 2019, @11:38PM

      by Anonymous Coward on Wednesday April 17 2019, @11:38PM (#831395)

      Has anyone inquired into this researcher's religious affiliation?

      Yes. I believe he's a vi[m] guy.

    • (Score: 0) by Anonymous Coward on Thursday April 18 2019, @03:11AM

      by Anonymous Coward on Thursday April 18 2019, @03:11AM (#831482)

      Has anyone inquired into this researcher's religious affiliation?

      Sounds like an Old Testament crusade of vengeance to me. Looks like he's a Christian fundamentalist.

(1)