At this point in time you’ve probably already read the news that was brought to many of our attention via Sucuri who found a huge gaping hole in a very popular WordPress plugin (over 900,000 downloads) and that was being leveraged for ill-gotten gain, spamware into sites that ran it:
If you are using the Social Media Widget plugin (social-media-widget), make sure to remove it immediately from your website. We discovered it is being used to inject spam into websites and it has also been removed from the WordPress Plugin repository.
But the rub was that it wasn’t an “invasion” of bad code – it was accepted by the repository and delivered to all the blogs that had it installed via upgrade:
What is really concerning about this, isn’t even the SPAM injection. That happens all the time, it’s the fact that the malicious payload found it’s way in the core files. It was then uploaded to the WordPress.org Plugin Repository.
Naturally, this brings up questions of security at the plugin repository level (and the plugin review process) as well as an overall look at what might be the future of security threats for WordPress-powered sites.
On one hand it makes a lot of sense – now that WordPress powers over 17% of the top 1MM sites it’s becoming an even greater target for malicious code and people trying to take advantage of a huge groundswell of attention and installations.
But it also brings up even more questions about the rights of authors to sell, monetize, and transfer rights of plugins – is there such an existing policy? From my knowledge there is none as the “ownership” of a plugin happens outside the walls of the repository, besides the fact that you don’t have to put it there in the first place. There are a lot of authors who provide their users with direct access to their plugin outside the repo all the time.
As one person noted, this isn’t just a WordPress issue as well – Joomla and other CMSs are targets too:
Unfortunately, this story is not new. One of our readers pointed us to a very similar case that happened in the Joomla ecosystem just a few weeks before. In similar fashion, the campaign was able to infiltrate more than 20,000 sites.
Finally, one of the saddest outcauses of all of this is the hit on the original author’s personal brand and association with the offending plugin. As Brian Freytag has shared,
The SMW legacy is now in shambles. I desperately found every site that referenced this stuff and cleared my name and distanced myself as far away from the plugin as I could. I went to Twitter and let all of the loyal fans I had and let them know what was going on so they could remove social media widget.
This post is to completely separate myself from Social Media Widget. I am backing away from its legacy. I’m banishing it from my name.
In the end Brian even expressed some interest in taking a back seat for some time to let this “blow over” – that’s sad to see great talent and energy punished for someone else’s mistake (or purposeful violation). For the record Brian I think you did the right thing and the rest is really out of your hands.
What say you? Do we have a growing issue in global WordPress security measures? What can (should) be done to stop even more of these types of attacks, if possible?
18 Comments