WordPress Sites Hacked Through Vulnerable Payment Forms Plug-in

Hackers are exploiting vulnerabilities in a WordPress plug-in that was patched months ago without being publicly announced. A different vulnerability has been found in the same plug-in during a recent forensic investigation and has now been patched.

In late January, security researchers from security firm Defiant investigated a compromised website built on WordPress for a client and found the attackers exploited vulnerabilities in a commercial plug-in called WP Cost Estimation & Payment Forms Builder.

The researchers noticed that the version of the plug-in used on the website was not the latest one, and when they checked they found that the flaws had been silently patched by the developer in later versions.

“These flaws were found and patched by the developer a few months ago, but no official public disclosure was made at the time,” Defiant said in a report published this week.

Following that discovery, the researchers decided to analyze the plug-in for additional flaws and found a directory traversal issue which they reported to the developer, Loopus Plugins. The new vulnerability could be used to bypass the patch for the older flaws and has been fixed in a new release.

The original vulnerabilities being exploited by attackers in the wild exist in versions older than 9.644 and the new directory traversal vulnerability was patched in version 9.660. Users of this WordPress plug-in are strongly advised to upgrade the plug-in as soon as possible.

According to Defiant, Loopus Plugins responded quickly and implemented the suggested fixes, so this is a fortunate case in which a plug-in developer was responsive to a security report, which is not always the case.

That said, the incident is noteworthy because it highlights a problem that developers have faced for a long time: whether to disclose vulnerabilities they find and fix internally.

Many security professionals believe that all vulnerabilities should be disclosed because there have been many cases in the past when the same flaw in an application was discovered by multiple people independently. So even if a vulnerability is found internally, someone else also can find it.

Some developers believe that keeping security issues under wraps prevents them from becoming widely known and exploited. The problem with this is that hackers can reverse-engineer patches and if users don’t know that a new update contains a security fix, they might delay installing it.

This is especially a problem for web software such as content management systems such as WordPress or their plug-ins because updates often mix security patches with new features and other bug fixes that are not related to security. This makes website administrators wary of updating components because they fear there might be compatibility issues with existing code that might break their websites.

In the desktop software world, vendors do a much better job at keeping security updates separate from feature releases so users can make informed decisions regarding how important certain updates are and how quickly they must be deployed.

Hacker Sells 730 Million+ User Records Stolen from Companies

A hacker is selling on an underground market more than 730 million user records that were stolen from websites belonging to 24 companies.

The first batch of 620 million user records was posted earlier this week on Dream Market, an underground marketplace accessible only on the Tor anonymity network. The Register, which first reported the story, said the data was being sold for around $20,000 in Bitcoin and consisted  primarily of account holder names, email addresses and hashed passwords.

According to the posting seen by The Register, the user account data had been taken from 16 hacked websites: Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million) and DataCamp (700,000).

On Thursday, TechCrunch reported that the same seller posted listings for an additional 127 million records obtained from 8 more websites: Ixigo (18 million), YouNow (40 million), Houzz (57 million), Stronghold Kingdoms (5 million), Roll20 (4 million), Ge.tt (1.8 million), PetFlow (1 million) and Coinmama (450,000). The combined asking price was around $14,500 in Bitcoin for the new data.

It’s not clear how the information was obtained, but some of the websites—for example, MyFitnessPal or Animoto—previously disclosed that they’d been breached.

Stolen login credentials, even with hashed passwords, are valuable for attackers, so it’s no wonder they’ve become a commodity being sold on underground markets.

Hackers can crack password hashes, especially if the passwords are not long and complex, and they can build credential lists for brute-force attacks against other websites, also known as credential-stuffing attacks. This is made easier by the fact that a lot of people reuse their passwords across different websites instead of having unique and hard-to-guess passwords for each of their online accounts.

Phishers are also interested in user account information, particularly email addresses and names. If the information also reveals where the victims had a valid account it allows attackers to build even more targeted phishing schemes.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin