Today we’ve published episode 11 of Think Like a Hacker. As we mentioned earlier in the week, we’ve switched to a new format beginning this week, separating the news and our interview into two episodes. In today’s interview-focused episode we talk to Dave Ryan at WordCamp Orange County.

Dave Ryan is an Interdisciplinary WordPress Developer at Bluehost, where he focuses on helping build WordPress and supporting the WordPress community. He is an organizer for Phoenix area WordPress meetups and WordCamp Phoenix. He also speaks at numerous WordCamps around the country.

In the past Dave has worked for large publishers and universities and scaling high-traffic WordPress sites by blending his skills in information design, journalism and web development.

Dave lives in Phoenix, loves a good taco and will like every photo of your dog on Instagram.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find me on Twitter as @mmaunder and Kathy as @kathyzant and Dave as @0aveRyan. Please don’t hesitate to post your feedback in the comments below.

Today we are pleased to bring you the tenth episode of Think Like a Hacker. We’re doing things a little different this week, separating the news and our interview into two episodes. In today’s we cover the news and we will share another compelling interview later in the week.

In the news we discuss new cryptographic protection against supply chain attacks in WordPress 5.2 which was released today. We talk about Israel’s missile attack against Hamas hackers, a data breach affecting 80 million households, the Gutenberg accessibility audit, DuckDuckGo’s “do not track” bill, a hacker selling Windows ZeroDay vulnerabilities and a sophisticated supply chain attack originating in China amongst other stories.

Here are approximate timestamps in case you want to jump around:
1:24 Security enhancements in WordPress 5.2
8:35 Israeli defense force missile attack
11:05 WordCamp Atlanta recap
13:24 Breach affecting 80 million households
16:44 Gutenberg accessibility audit
26:10 DuckDuckGo Do Not Track Bill
31:10 Hacker Selling Windows 0Day vulnerabilities
34:50 Mozilla bans add-on obfuscated code
38:30 Hackers on a supply-chain attack spree
46:05 Hacker wiping Git repositories
48:54 Firefox certificate causes add-on failure
50:40 Japanese government developing defensive malware

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

• WordPress 5.2 will use digital signatures for core updates to protect against supply-chain attacks. Our own Matt Barry had disclosed a vulnerability that underscores the importance of this new protection.
• Israel retaliates against Hamas hacking with a missle strike.
• A database containing records for 80 million US households was found unprotected on a cloud server by hacktivists Noam Rotem and Ran Locar.
• WPCampus organized an audit of Gutenberg’s accessibility for Section 508 compliance and found numerous issues.
• Privacy-focused search engine DuckDuckGo wrote a bill to stop advertisers from tracking you online.
• A mysterious hacker has been selling Windows zero-day vulnerabilities to APT (advanced persistent threats) ofr the last three years.
• Mozilla has banned Firefox add-ons with obfuscated code.
• A Chinese hacking group code named Barium has been implicated in numerous supply chain attacks.
• Numerous Git repositories have been wiped and replaced with a bitcoin ransom demand.
• Firefox certificate issue was causing add-ons to be disabled or fail on installation.
• The Japanese government has begun an initiative to create and maintain defensive malware.

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

Earlier this week, a security update was released for the WooCommerce Checkout Manager plugin for WordPress. This update fixes two distinct vulnerabilities: an arbitrary file upload flaw present in certain configurations, and a flaw allowing attackers to delete media files from affected sites. The plugin’s users are advised to install the latest available version (4.3 at the time of this writing) as soon as possible to prevent exploitation of the flaws patched in this update.

The file upload vulnerability was initially made public in a report by an unnamed security researcher, which was irresponsibly published on April 23rd without privately notifying the plugin’s author. In the process of verifying the report, our team identified an additional media deletion flaw which needed to be patched. We reached out to the plugin’s developer the same day to begin the disclosure process, and have deployed a firewall rule to protect our users from these exploits.

In this post we’ll be sharing details regarding both of these flaws, with particular focus on the media deletion flaw which has yet to be reported.

Conditional Arbitrary File Upload

The initially disclosed flaw in WooCommerce Checkout Manager allowed unauthenticated users to upload arbitrary files to affected sites in certain configurations. Specifically, the plugin’s “Categorize Uploaded Files” option needed to be active for this flaw to be exploitable.

With the plugin active, a site’s customers have the ability to upload files associated with their orders during the checkout process. Without the “Categorize Uploaded Files” option enabled, the plugin made use of WordPress’s built-in media upload handler, which is generally effective at keeping out malicious scripts. However, when the option is enabled, it directly uploads the file without any security checks, allowing dangerous files to be uploaded.

Wordfence firewall users, both premium and free, are protected from malicious script uploads.

Unauthenticated Media Deletion Flaw

While testing reports of the file upload flaw above, our team discovered a flaw which would allow attackers to delete media files from the affected site.

Alongside the file upload feature, the plugin is able to delete the attachments users have uploaded at checkout. In unpatched versions, this deletion feature allowed unauthenticated users to delete any media file, not just those associated with a user’s checkout uploads.

function update_attachment_wccm_callback() {

	global $post, $wpdb, $woocommerce;

	$array1 = explode( ',', sanitize_text_field( isset( $_POST['wccm_default_keys_load'] ) ? $_POST['wccm_default_keys_load'] : '' ) );
	$array2 = explode( ',', sanitize_text_field( isset( $_POST['product_image_gallery'] ) ? $_POST['product_image_gallery'] : '' ) );
	$attachment_ids = array_diff( $array1, $array2 );

	if( isset( $_POST['wccm_default_keys_load'] ) ) {
		if( !empty( $attachment_ids ) ) {
			foreach( $attachment_ids as $key => $values ) {
				wp_delete_attachment( $attachment_ids[$key] );
			}
		}
		echo __('Deleted successfully.','woocommerce-checkout-manager');
	}
	die();

}
add_action( 'wp_ajax_update_attachment_wccm', 'update_attachment_wccm_callback' );
add_action( 'wp_ajax_nopriv_update_attachment_wccm', 'update_attachment_wccm_callback' );

The above function, update_attachment_wccm_callback, is hooked into the update_attachment_wccm AJAX action. The function is only intended for Administrator and Shop Manager users, but was available to unauthenticated users due to its additional nopriv_ registration and a lack of capabilities checks. In the function, two POST body parameters are converted to arrays and then compared. Any media attachments with IDs present in $_POST['wccm_default_keys_load'] but not in $_POST['product_image_gallery'] are deleted via the built-in wp_delete_attachment function. This not only deletes the associated file, but removes its metadata from the WordPress media library.

An attacker with motivation to take down a site’s images and other media could do so by identifying a set of media IDs, or simply iterating over a wide range of values, and assigning them to wccm_default_keys_load as a comma-delimited string. Because the ternary operation on line 2176 returns an empty string by default, we don’t need to set a product_image_gallery parameter for comparison unless we wanted to exclude specific IDs for some reason.

For example, to delete any media files with IDs from 1 to 10, you’d send a POST request to http://example[.]com/wp-admin/admin-ajax.php?action=update_attachment_wccm with the POST body wccm_default_keys_load=1,2,3,4,5,6,7,8,9,10.

Next Steps

The plugin’s author, Visser Labs, has patched these issues in version 4.3 of WooCommerce Checkout Manager. It is advised that all sites making use of the plugin update as soon as possible. For sites which haven’t patched, a new Wordfence firewall rule has been deployed to prevent abuse of the media deletion flaw. Premium users have immediate access to this new rule, and free users will gain access in thirty days. Both free and premium users already benefit from built-in rules which offer protection from the file upload vulnerability as well.

At this time, we have not identified significant exploitation of either of these vulnerabilities. We will continue to monitor for related activity and issue further reports if necessary.

Thanks to Ram Gall from the Defiant QA team for the discovery of the media deletion vulnerability.

Earlier this week, a security update was released for the WooCommerce Checkout Manager plugin for WordPress. This update fixes two distinct vulnerabilities: an arbitrary file upload flaw present in certain configurations, and a flaw allowing attackers to delete media files from affected sites. The plugin’s users are advised to install the latest available version (4.3 at the time of this writing) as soon as possible to prevent exploitation of the flaws patched in this update.

The file upload vulnerability was initially made public in a report by an unnamed security researcher, which was irresponsibly published on April 23rd without privately notifying the plugin’s author. In the process of verifying the report, our team identified an additional media deletion flaw which needed to be patched. We reached out to the plugin’s developer the same day to begin the disclosure process, and have deployed a firewall rule to protect our users from these exploits.

In this post we’ll be sharing details regarding both of these flaws, with particular focus on the media deletion flaw which has yet to be reported.

Conditional Arbitrary File Upload

The initially disclosed flaw in WooCommerce Checkout Manager allowed unauthenticated users to upload arbitrary files to affected sites in certain configurations. Specifically, the plugin’s “Categorize Uploaded Files” option needed to be active for this flaw to be exploitable.

With the plugin active, a site’s customers have the ability to upload files associated with their orders during the checkout process. Without the “Categorize Uploaded Files” option enabled, the plugin made use of WordPress’s built-in media upload handler, which is generally effective at keeping out malicious scripts. However, when the option is enabled, it directly uploads the file without any security checks, allowing dangerous files to be uploaded.

Wordfence firewall users, both premium and free, are protected from malicious script uploads.

Unauthenticated Media Deletion Flaw

While testing reports of the file upload flaw above, our team discovered a flaw which would allow attackers to delete media files from the affected site.

Alongside the file upload feature, the plugin is able to delete the attachments users have uploaded at checkout. In unpatched versions, this deletion feature allowed unauthenticated users to delete any media file, not just those associated with a user’s checkout uploads.

function update_attachment_wccm_callback() {

	global $post, $wpdb, $woocommerce;

	$array1 = explode( ',', sanitize_text_field( isset( $_POST['wccm_default_keys_load'] ) ? $_POST['wccm_default_keys_load'] : '' ) );
	$array2 = explode( ',', sanitize_text_field( isset( $_POST['product_image_gallery'] ) ? $_POST['product_image_gallery'] : '' ) );
	$attachment_ids = array_diff( $array1, $array2 );

	if( isset( $_POST['wccm_default_keys_load'] ) ) {
		if( !empty( $attachment_ids ) ) {
			foreach( $attachment_ids as $key => $values ) {
				wp_delete_attachment( $attachment_ids[$key] );
			}
		}
		echo __('Deleted successfully.','woocommerce-checkout-manager');
	}
	die();

}
add_action( 'wp_ajax_update_attachment_wccm', 'update_attachment_wccm_callback' );
add_action( 'wp_ajax_nopriv_update_attachment_wccm', 'update_attachment_wccm_callback' );

The above function, update_attachment_wccm_callback, is hooked into the update_attachment_wccm AJAX action. The function is only intended for Administrator and Shop Manager users, but was available to unauthenticated users due to its additional nopriv_ registration and a lack of capabilities checks. In the function, two POST body parameters are converted to arrays and then compared. Any media attachments with IDs present in $_POST['wccm_default_keys_load'] but not in $_POST['product_image_gallery'] are deleted via the built-in wp_delete_attachment function. This not only deletes the associated file, but removes its metadata from the WordPress media library.

An attacker with motivation to take down a site’s images and other media could do so by identifying a set of media IDs, or simply iterating over a wide range of values, and assigning them to wccm_default_keys_load as a comma-delimited string. Because the ternary operation on line 2176 returns an empty string by default, we don’t need to set a product_image_gallery parameter for comparison unless we wanted to exclude specific IDs for some reason.

For example, to delete any media files with IDs from 1 to 10, you’d send a POST request to http://example[.]com/wp-admin/admin-ajax.php?action=update_attachment_wccm with the POST body wccm_default_keys_load=1,2,3,4,5,6,7,8,9,10.

Next Steps

The plugin’s author, Visser Labs, has patched these issues in version 4.3 of WooCommerce Checkout Manager. It is advised that all sites making use of the plugin update as soon as possible. For sites which haven’t patched, a new Wordfence firewall rule has been deployed to prevent abuse of the media deletion flaw. Premium users have immediate access to this new rule, and free users will gain access in thirty days. Both free and premium users already benefit from built-in rules which offer protection from the file upload vulnerability as well.

At this time, we have not identified significant exploitation of either of these vulnerabilities. We will continue to monitor for related activity and issue further reports if necessary.

Thanks to Ram Gall from the Defiant QA team for the discovery of the media deletion vulnerability.

We cover quite a few news stories this week, including two plugins requiring immediate updating due to disclosed vulnerabilities, what we can expect from WordPress version 5.2 and a dark web marketplace that appears to have exit scammed users. We follow up on Google Sensorvault, a great interview with Richard Stallman about Facebook and JetBlue’s use of facial recognition technology. We take a look at GoDaddy’s removal of 15,000 spam subdomains, the Docker breach and Slack’s upcoming IPO and their dire warning to investors.

This week, I chat with Jon Brown, CEO of 9seeds, a digital agency. We chatted at Chris and Katie Bayer’s Black Mountain Coffee Roastery in Idyllwild, California. Jon and I talk about running an agency, remote work, being a digital nomad and of course, WordPress. We had a great conversation, and I think you’ll enjoy it.

Here are approximate timestamps in case you want to jump around:
1:15 WordPress plugin WooCommerce Checkout Manager vulnerabilities
3:40 Buddy Press vulnerabilities disclosed
4:42 WordPress 5.2 expected release
9:27 Dark web marketplace exit scammed
12:20 Congress asking questions about Google Sensorvault
14:39 Richard Stallman on Facebook
21:10 JetBlue facial recognition
26:17 GoDaddy spammy subdomain
29:25 IoT devices with P2P component flaws vulnerable
32:12 Docker breach
37:33 The Slack pre-IPO SEC disclosure
41:39 The Jon Brown Interview

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

• Vulnerabilities found and patched in the WooCommerce Checkout Manager plugin that provides customization of fields on checkout pages.
• BuddyPress release version 4.3.0 contains a number of security patches.
• WordPress version 5.2 will contain a number of improvements to Gutenberg, Site Health dashboard, and accessibility for wp-admin dashboard. A new fatal error recovery mode will create fewer problems for site owners if a plugin or theme update if there is a problem.
• The dark web marketplace Wall Street Market (WSM) has exit scammed with over $14.2M in user funds.
• Congress is asking for details about the Google Sensorvault program we previously discussed on the podcast.
• Richard Stallman, founder of the Free Software Foundation and author of the GPL, was interviewed about Facebook the surveillance monster feeding on our personal data.
• JetBlue is leveraging use of facial recognition software and a Homeland Security database which is concerning to those who were unaware of its use.
• GoDaddy has taken down over 15,000 subdomains that have been used for online scams after a Palo Alto Network two-year research project.
• Over two million IoT devices are vulnerable because of P2P component flaws.
• Hackers have breached Docker Hub, a programming tool used by developers, compromising keys and tokens for over 190,000 accounts.
• In preparation for their IPO, Slack warns investors that they’re a target for nation-state hacking as well as other hackers.

You can find me on Twitter as @mmaunder and Kathy as @kathyzant, and Jon Brown at @jb510 or at 9seeds.com. Please don’t hesitate to post your feedback in the comments below.

This week we look at Troy Hunt’s pen testing results with the TicTocTrack watch and the privacy issues of tracking our kids. We examine the changes coming in the AMP project as well as implications of the UK’s new porn age restriction law coming into effect in July. We review a story uncovered by Cisco’s Talos security team about a group called SeaTurtle who carried out an espionage campaign via DNS hijacking. We take a new look at why the Nigerian prince scam is still netting over $700,000 per year, and how the City of Chicago lost more than $1 million in a phishing scam. We also take a look at the nascent influencer economy and some of the effects on both service companies and influencers themselves.

For our interview this week, I have something a little different. I was recently in Idyllwild, California for a few days and made friends with an amazing couple who run a coffee roastery and tasting room. Chris and Katie Bayer are the owners of Black Mountain Coffee Roasting. If you love coffee and WordPress you’re going to love this interview. Enjoy!

Here are approximate timestamps in case you want to jump around:
0:45 TicTocTrack, the Hackable Kids’ Watch
14:24 Changes to AMP
21:14 UK Pornography restriction law
29:25 Sea Turtle group and DNS hijacking
38:19 Nigerian Prince scams and why they’re still around
50:42 City of Chicago and a phishing scam
58:13 The influencer economy
1:07:26 Interview with Chris and Katie Bayer

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

• Troy Hunt takes a look at a kids’ smart watch with some extraordinary security and privacy concerns.
• There are some updates to Google’s Accelerated Mobile Pages (AMP) that make sites visited via AMP appear to be the actual publisher’s site.
• The United Kingdom has a new law coming into effect in July with stricter requirements to restrict pornography access.
• Cisco Talos security researchers have discovered a new team of sophisticated hackers they’ve named Sea Turtle that has hijacked internet domains of entire countries.
• A new look at an old story, Nigerian prince scams are still raking in over $700,000 a year. We talk about why this is still important.
• The City of Chicago fell victim to a phishing scam that almost lost them over $1 million, but the funds were recovered.
• The influencer economy is growing, but one service business doesn’t want any part of it. An Instagram influencer had her account shut down after a group reported her account repeatedly.

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

This week we look at the Assange arrest, an irresponsible security researcher affecting the WordPress community and do a bit of a thought experiment. We also look at Google’s Sensorvault and how it’s being used by law enforcement, the fascinating rise and fall of the Bayrob malware gang, and some tips for avoiding a new AirBnB scam. I also talked to Tyler Lau at WordCamp Phoenix last month, and we share that interview with you today. Tyler is the Social Community Manager at Sandhills Development. Sandhills makes some very popular plugins including Easy Digital Downloads, AffiliateWP. We talked about the WordPress community, WordPress in general and some of the cool things that Sandhills is involved in. Enjoy!

Here are approximate timestamps in case you want to jump around:
0:51 Assange taken into custody
20:27 Irresponsible security researcher
30:50 Google Sensorvault
35:14 Bayrob malware gang
43:07 Land Lordz service powering AirBnB scams
49:57 Tyler Lau interview

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

• Julian Assange is taken into custody after seven years in the Ecuadorian embassy in London. The US Department of Justice is charging him with conspiracy to commit computer intrusion for agreeing to break a password to a classified U.S. government computer.
• Ars Technica publishes details about the rogue security researcher with a grudge dropping 0days on innocent WordPress users. We’ve covered this irresponsible researchers on past episodes. Mark had a bit of a Tweet storm about this over the weekend. Here’s the link to the WordPress HackerOne bug bounty program.
• Google’s sensorvault, a database of location records from hundreds of millions of devices, is being used by law enforcement.
• A fascinating story about the Bayrob malware gang from Romania gives an detailed look at who makes money from malware, their expertise, and ultimately how they were caught.
• Scammers use a new tool called Land Lordz to automate fake AirBnB scams, but there are ways to detect this scam and stay safe.

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Tyler Lau as @tylermaximuslau. Please don’t hesitate to post your feedback in the comments below.

On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository. The plugin is quite popular, with an active install base of over 30,000 websites. On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin.

We are seeing a high volume of attempts to exploit this vulnerability. The exploits very closely resemble the POC posted by the irresponsible researcher.

We deployed a firewall rule to protect against these attacks yesterday, which our Premium customers have now received. All site owners are urged to remove the plugin from their sites immediately.

Privilege Escalation Enables Arbitrary Options Updates

The first flaw that enables this attack is present in the yellow-pencil.php file within the plugin. The yp_remote_get_first() function is called on every page load and checks if a specific request parameter (yp_remote_get) has been set. If it has, the plugin escalates privileges to that of an administrator for the remainder of the request.

function yp_remote_get_first(){
     if(isset($_GET["yp_remote_get"])){
         wp_set_current_user(1);
         show_admin_bar(false);
     }
 }

This privilege escalation makes any user capabilities checks later in the plugin moot. As a result, unauthenticated users can perform actions, such as change arbitrary options, that were only meant for site administrators. A cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit.

function yp_option_update(){

     // Can?
     if(current_user_can("edit_theme_options") == true){
 
         // Import the data
         if(isset($_POST['yp_json_import_data'])){
 
             $data = trim( strip_tags ( $_POST['yp_json_import_data'] ) );
 
             if(empty($data) == false){
 
                 yp_import_data($data);

Familiar Threat Actor Strikes Again

We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins. Exploits so far are using a malicious script hosted on a domain, hellofromhony[.]com , which resolves to 176.123.9[.]53. That IP address was used in the other attacks mentioned. We are confident that all four attack campaigns are the work of the same threat actor.

Conclusion

As continues to be the case, a disgruntled security researcher continues to put the WordPress community at risk by publicly disclosing POCs for zero-day vulnerabilities. In this environment we strongly recommend staying on top of WordPress security news and considering an upgrade to Wordfence Premium.

Site owners running the Yellow Pencil Visual Theme Customizer plugin are urged to remove it from their sites immediately. Wordfence Premium customers received an updated firewall rule to protect against this vulnerability yesterday. Free users will receive it 30 days later.