Doc’s WordPress News Drop is a weekly report on the most pressing WordPress news. When the news drops, I will pick it up and deliver it right to you.
Open source security expert, Scott Arciszewski, had a lot to say about WordPress’s auto-update feature. So he wrote it up on Medium and got a response, also on Medium, from WordPress co-founder Matt Mullenweg.
Love WordPress news, but hate reading? This is Doc Pop’s News Drop.
Last week, on Valentine’s Day, Scott Arciszewski (archie-ziskee) wrote a legthy post on Medium about a possible WordPress vulnerability that could lead to every WordPress site being turned into a Mirai-style botnet that can be used to bring down servers in a DDoS attack.
Scott, an open source security researcher, says that the key to preventing this type of vulnerability is to sign WP core updates with a public key, to ensure they are official releases. WordPress’s automatic update system is great, but if hackers could somehow gain control of api.wordpress.org, they could use it to push their own malicious version of WordPress to any sites with auto-update enabled.
Remember last years Internet Of Things attack? 100,000 home dvrs and camcorders were hacked and used in a large scale DDoS attack that led to days of outages for large parts of the internet. Imagine if that same style of attack was used on WordPress sites, which power 27% of the internet?
Scott says he offered his services to help the WordPress team to provide encrypted updates free of charge, but was turned down by WordPress’s co-founder, Matt Mullenweg. Which explains why he refers to this attack as #mullware in his post. [show mullware screenshot]
In a lengthy rebuttal, Matt Mullenweg wrote his own Medium post about what led to his decision. He stated that key signing is a good idea, but added “There are more important security issues in front of it, that impact millions of sites in the real world, so we are prioritizing those issues above a nice-to-have, defense in depth effort.”
He then listed several higher priority security issues such as sites not updating core, plugins, and themes as well as many users using weak passwords without 2-factor authentication, which I just added to my own site last week.
Matt added that although he didn’t want to incorporate Scott’s encryption library to core without it being audited by a third party 1st, he offered to help Scott pay for that audit the day before Scott’s security rant went online.
Shortly after Matt’s lengthy response, Scott retracted his post, but honestly it still got me a little nervous. I know that the odds of hackers taking control of api.wordpress.org then putting out some hacked version of WordPress that tens of millions of sites would auto-update to… those odds might be low, but the end result would be considerably more severe than a few thousand sites getting hacked due to weak passwords.
What are you thoughts? Leave them in the comments below or write your own lengthy response on Medium. That’s what everyone else is doing.
We’ll see you next week!