WordPress plugin updates and how I (ab)used it

Any WordPress site administrator will know WordPress has an auto update system for plugins. Not many people seem to think through how this works and what it means, which is why a lot of people started to say stuff when I “fixed” the BlogPress SEO situation earlier today. Let’s walk through this essentially pretty easy system.

You have a set of plugins installed, WordPress gathers the name, slug (directory name), version number and some other things, and sends that to WordPress.org. On WordPress.org, the server tries to find that plugin within its system, and when it’s found it, it checks the version number against the current version number for that plugin. If it finds a newer version, it returns it. Simple, superb, just works, every day, for all of us.

How I “used” the WordPress plugin update system

The thing is, the update check relies on the fact that the plugin is on WordPress.org. If it’s not, it should return nothing. What I did was create a BlogPress SEO plugin on WordPress.org which was empty. Note that that’s easier for me than for most: I have a lot of registered plugins already, and most people who have the rights to approve a new plugin for me will do so without too much of a check. The empty plugin has the same name etc. and a higher version number than the current version BlogPress SEO sends out, and therefor it updates.

Call it genius, call it evil, some people thought it was pretty bad that it’s possible. In this case I used it for “good”, where it could also be used for “bad”. Mind you, I only did it when I found the backdoor, I wasn’t willing to do it before when it was “just” SEO spam, even though I had thought up this method about 11 months ago already.

This will not work for plugins that are already on WordPress.org, it might work for others. But remember: plugin requests do normally get a high level of scrutiny on WordPress.org. After that, if something bad got through, it would be pulled immediately. I doubt they’re going to pull this hijack of mine for obvious reasons: it does a good thing. Still, if you’re concerned about this happening, the fix is to apply this method by Mark Jaquith, or even better, replace it with your own update server.

Is this legitimate (ab)use?

Some people will argue I shouldn’t have done this. In this case, I think the end justifies the means, you’re welcome to disagree and give me your opinion, I sincerely want to hear that, ethical behavior is very important to me.

Killswitch?

This whole story also opened the discussion about whether WordPress needs a kill switch for stuff like this (this isn’t one, people have to upgrade, I can’t just kill the plugin). I think we do need one, but we should also set very strict rules on how to use that when we add it. But then again when someone purposefully adds a backdoor to WordPress blogs around the globe, I think the platform would benefit if we (or rather, the lead developers) would be able to “kill” that plugin on all WordPress.org blogs instantly. The issue is of course that a sophisticated developer would just disable that check, so in the end, there’s probably no chance of that. Of course this is also a one off fix, as all other bad people out there will now also apply Mark’s fix…

Tags: , ,


Yoast.com runs on the Genesis Framework

Genesis theme frameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Whether you're a novice or advanced developer, Genesis provides you with the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Read our Genesis review or get Genesis now!

34 Responses

  1. Andrea_RBy Andrea_R on 14 November, 2010

    I actually think you did a good thing, and yes an ethical one. I don’t seen any difference between this and someone using VaultPress, which will yank any suspect files if it finds them.

    As a member of the community, who does find things like this and did act on them, overall it was totally worth it.

    I’m sure someone will say “but people opt-in to vaultpress”. People willingly installed a bad plugin without checking out what it did first. They willingly are clicking the upgrade button.

    Sometimes you really do have to save people from themselves.

  2. Chris OlbeksonBy Chris Olbekson on 14 November, 2010

    I’ve been following this blogpress seo thing and I applaud what you did. We (the theme review team) found a worm in a theme a few months back and contemplated doing the same thing but it turned out that the worm was only in an update that hadn’t been approved yet.

  3. RonBy Ron on 14 November, 2010

    I’m really glad you did that. Yes, you did expose something that could be used for malicious purposes (before it was used for malicious purposes). Over the last year+, there have been several discussions about making the plugin review process more vigorous. To date, there hasn’t been a compelling reason to do so. IMO, now there is one.

    The distinct advantage for reviewing plugins over the theme review process is that plugins are updated through SVN. So, once the initial version of a plugin passes review, subsequent updates to the plugin repo are a changeset. Probably 90% of those are minor changes which will be fairly easy for review.

    • Joost de ValkBy Joost de Valk on 14 November, 2010

      I dislike the idea of a review of every line of code going into the repo, like, really, really dislike it. Do we need some method of making plugins more trustworthy? Yes. Would scanning every line of code that goes into the repository fix this? Perhaps. Do we have the man power to do it? I doubt it.

      A simple first step would to make the process of getting a new plugin approved even harder, and to make name changes for plugins harder: the name you register with you can’t change except with permission from an admin, that’d solve like half the issue.

  4. KimBy Kim on 14 November, 2010

    Kudos, Joost. You saw someone victimizing people and immediately acted to stop it in a non-harmful way. Then you made your actions public so the community could begin to work to prevent this from happening again. I support your actions 100% and I appreciate your acting on behalf of those of us who wouldn’t have known about this scam otherwise.

  5. Lee WillisBy Lee Willis on 14 November, 2010

    Absolutely, 100% respect why you’ve done this.

    However it does publicise an interesting attack vector. The existing mechanism is open to abuse, and the hole could easily be used for malicious purposes. Just think of the opposite of what you did – pick a common, non-WordPress.org plugin, and create a plugin on WordPress.org, upload it as a copy of the original code, but with malicious code embedded. Boom, bash. Including the original code will obfuscate any malicious code (Unless the repo performs some kind of code scanning) and make it hard to spot in a casual inspection.

    That is a bigger issue than the ethics of what you did.

    • Joost de ValkBy Joost de Valk on 14 November, 2010

      As said, normally this sort of stuff undergoes quite a bit of scrutiny, there’s a handful of people, me included, who get easier approval because we’ve done so much plugins already. In theory, it’s possible, in practice hardly anyone could pull it off. In theory as well, just about any plugin on the repository could add code like there was in BlogPress SEO, and it could go unnoticed for a whole lot longer than if you “stole” someone’s non WordPress.org plugin.

  6. WebDojoBy WebDojo on 15 November, 2010

    You are the batman.

    Shocking, interesting, ethical hacking. Impressive good sir!

  7. demetrisBy demetris on 15 November, 2010

    This is why, while I contribute, and enjoy contributing, to the WordPress core as much as my skills and time permit, I avoid being involved with the WP.org site and its procedures:

    Complete arbitrariness!

    Why is it the repo’s business to monitor and control what plugins people install or not install from other places?

    And who takes decisions like this? What are the rules that decisions like this must comply with?

    Cheers!

  8. Milan PetrovicBy Milan Petrovic on 15 November, 2010

    There is one thing WordPress can do to stop plugins like BlogPress SEO. It’s not obtrusive, it’s not doing anything instead of the blog admin and it’s not extreme as kill switch is (no matter how justified). WP core can get something called Security Advisor panel, this panel will get info from WP.org about potential threats, malicious plugins/themes and the ways to stop them. Each security item can be marked with different threat level, and the highest threat level should be displayed on top of each page, until it’s solved by the admin. This way admins can take care of the problem on their own blog following advices from WP.org and security experts.

  9. Tom HermansBy Tom Hermans on 15 November, 2010

    Kudos Yoast,

    been following this story when you first posted the review and already mentioned the risk people were taking with installing this plugin.

    That it was worse than initially expected and that you acted upon it to stop people getting harmed, is indeed a bold, but a good move.

    grtz,
    ToM. (the only Belgian in the café night before WordCampNL)

  10. Barry AdamsBy Barry Adams on 15 November, 2010

    It’s a bit like hacking a site to expose vulnerabilities and then inform the site admin of those vulnerabilities before you go public. I.e. it’s an ethically right method of hacking, for the greater good of society and all that. :)

  11. Robert O'RourkeBy Robert O'Rourke on 15 November, 2010

    I like Milan’s suggestion here. The plugin repo on wp.org has a feature to vote on whether a plugin works or not so it’s not too great a step to add a way for the community to flag a plugin they believe to be spam/malware for review. Or perhaps just a way to add a ‘vote of confidence’ in the plugin.

  12. Great WallBy Great Wall on 16 November, 2010

    Way to go Man! Way to go. (Y)

  13. Alastair McDermottBy Alastair McDermott on 16 November, 2010

    A bit of “the ends justify the means” going on here but I gotta admit that backdoor was pure nastiness so deserved smackdown.

    Regarding your opinion:

    “or even better, replace it with your own update server”

    If you’re selling a commercial plugin, I can understand why you’d want to do that. But, in general, surely we’re better as a community if folks standardise on the WordPress.org server for plugin updates for the vast majority of plugins?

    • Joost de ValkBy Joost de Valk on 16 November, 2010

      Agreed fully, some people don’t want to do that though, and they should be the ones using this.

  14. IpstenuBy Ipstenu on 16 November, 2010

    I admit, I’m really torn here.

    On the one had, I’m delighted to see a clever, easy, smart way to kill a horrible bit of code.

    On the other, the idea that non-WP hosted plugins can be overwritten bothers me. Someone could make a plugin with the same name as a non-WP one, and release a different version and screw with people. But is it WordPress’s business to monitor every non-WP site out there that might have a plugin with the same name? No, of course not! So is this just an ‘acceptable’ risk we run if we use plugins NOT hosted on wp.org?

    It solved a problem, I’m glad you did it, but it raises a lot more questions about the best ways to host a plugin and to protect it. Mind you, I think these are questions that need to be discussed :)

  15. WebdojoBy Webdojo on 16 November, 2010

    @Ipstenu, I agree about the security concern of how easy it is to “spoof” a plugin update, potentially hijacking the system and having unscrupulous bloggers updating their blog with rogue code.

    My challenge to you all is this question: How do you verify that the update you are about to apply is legitimate and written by the plugin’s author?

    I believe if we all understand how to verify the updates we apply, we can protect ourselves against someone abusing the system.

    I still think what Joosty did here was a batman-esque good “ab”-use, but it shines a spotlight on the need for more understanding in the community.

    Anyone know some steps we can take when to understand the origin of the update code before applying?

  16. JonBy Jon on 17 November, 2010

    WP has to get rid of stuff like that or if there were an attack based out of it, the entire brand would be sullied and less trusted even though it was the work of one malicious plug-in writer and numerous unknowing users.

    Bravo for finding a way prevent this from causing problems and I would love many of the plug-ins to be able to be community supported and open sourced so that fixes to this kind of stuff can be made and incorporated back into the plugin for all to enjoy without relying on a developer who has suddenly become to busy with paid work to update their own plugin.

  17. Mark KellyBy Mark Kelly on 18 November, 2010

    Joost,
    I think your study is perfectly legitimate and is appreciated since it helps bring awareness to the general wordpress user about what could go wrong. Evil doers are very crafty and will use any means at their disposal and I fully expect to see some big WordPress related stuff tied to mass plugin exploits in the near future.

    Here is another resource that is a more generalized security risk evaluation your readers might appreciate as they evaluate and install plugins for their site.

    http://informationsecurityhq.com/wordpress-plugin-security-what-are-the-risks/

    Regards
    Mark

  18. Jacob Guite-St-PierreBy Jacob Guite-St-Pierre on 20 November, 2010

    Is it ethical? Maybe not. Is it right? Definitely.

  19. KittyBy Kitty on 21 November, 2010

    Honestly I would have never heard of Blogpress SEO if it wasn’t for you and I think you’ve been talking about it for too long ;) (an entire month). I’m sure this crook can easily redo his malicious plugin under a different brand and relaunch (this time without asking you for a review). I would much rather be reading about you releasing a new version of wordpress SEO.

  20. KittyBy Kitty on 24 November, 2010

    You’re my WordPress heo ;)

  21. MikeBy Mike on 24 November, 2010

    Hi Joost , Thanks for all your work. very useful, indeed! :)

  22. ChrisBy Chris on 29 November, 2010

    Well its good to know there are some good guys out there, and I think it is ethical.
    I am one of the mugs that started adding this plugin to my many blogs, and I would not have known if the plugin upgrade hadnt been done, so thank you.

    Now I have websites with login requests all over the page, and google adsense have taken ads off those pages. Which may be a conincidence but now my adsense earnings have decreased dramatically, and I am showing a smaller percentage of ad serves on my account.

    Still another lesson learnt, thanks again.

  23. NiharBy Nihar on 1 December, 2010

    Joost, Great job done.

    I call it as Ethical Hacking. Hacking but helping to find out the loop hole in the system.

  24. TheresaBy Theresa on 13 December, 2010

    Not only did I track this conversation through three posts, but I read all the comments, too. And I’m glad I did!

    This “offer” came to me just today in an email. I went to check it out. Luckily I’d also recently read about the need to stick to plug ins within the wp community itself. And this sure is proof positive.

    I’d actually gone so far as to download the zip to my desktop only (thank god), but then (which I usually do first), I went digging in a Google search looking for a reliable, trustworthy opinion/review of it prior to taking any action with it.

    Of course here I am and again, thank you! There’s yet another something going into my trash can without installation.

    In an odd way, this nefarious individual did me a favor – it got me over to your blog (it’s been a long time sorry!) and now I’m going hunting in your search bar.

    I still cannot find a decent stats plug in that pulls reliable information for self-hosted wps (and keeps working)… Hoping you’ve got the answer archived :)

    Great job, wonderful thread of linked posts to really explain the situation. And yes, I agree, you did a good thing to prevent a very bad thing from happening!

Trackbacks

  1. [...] and how many of them upgrade. So far, 26 people have been saved!Update: Just posted more info on how I did this using the WordPress plugin update system.Posts related to Blogpress seo, Spam, WordPress PluginsIf you liked BlogPress SEO: solved; the [...]