Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security Technology

WordPress Plugs Bug that Led to Google Indexing Some User Passwords (zdnet.com) 32

A week after releasing v5.0 major update, WordPress has pushed the first security patch for its popular CMS service. ZDNet: Released hours ago, WordPress version 5.0.1 fixes seven security vulnerabilities (some of which allow site takeover) but also plugs a pretty serious privacy leak. The latter was found by the authors of the popular Yoast SEO plugin, who discovered that in some cases the activation screen for new users could end up being indexed by Google. With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords. This leak could have catastrophic consequences if the user has an admin role or if the user didn't change his default password, as is regularly advised.
This discussion has been archived. No new comments can be posted.

WordPress Plugs Bug that Led to Google Indexing Some User Passwords

Comments Filter:
  • No joke.

    WP is a messy blob of spaghetti code, albeit one with 160 million active installs. That means a bug like this that would go undetected for months on any other System comes up with a fix two days after its release. And that in turn makes for some pretty relyable security.

    • by Anonymous Coward

      MIME type verification is standard verification for almost any file upload system system these days.

      We're talking 10+ years it took for those 160 zealots to even realize that MIME types were a thing and they can be used to spoof file uploads (and yes you can spoof MIME type afaik but that's not the point)

      The other vuln was in a 3rd party plugin, totally unrelated to Wordpress core. The 3rd party even admits in the article *they* found it, not the 160 million zealots you describe above.

      Yep. Wordpress. Totall

  • I misread the title as "WordPress Plugs Butt" - chuckled to myself when realized my brain made a mistake and thought I'd share.

  • by JustAnotherOldGuy ( 4145623 ) on Friday December 14, 2018 @11:42AM (#57803714) Journal

    "With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords."

    Another fabulous win for WordPress. (sigh)

    Seriously, if you run WordPress, at least install the WordFence plugin. It's free and prevents a lot of malicious behavior from occurring. I don't know about this specific exploit, but it has stopped a ton of bot-style attacks on the few WP sites I have some responsibility for.

    Install WordFence and look at the logs after a day or two- you'll be astounded (and horrified) at the level of malicious activity it catches and stops.

    (And in case you're wondering, no, I have no connection or financial interest whatsoever in WordFence, I'm just a fan).
     

  • by Anonymous Coward

    Barebones CMS is secure in ways that WordPress will never be, it's out-of-the-box performance blows away WordPress no matter how you might configure WordPress, Barebones consumes far fewer system resources than WordPress (100KB instead of 64MB RAM per user), and supplies everything you could ever need in terms of content authoring and content management. Barebones CMS is also a fraction of the size of WordPress, Joomla!, and Drupal and offers a sane open source license (your choice of MIT or LGPL).

    WordPres

  • by Darinbob ( 1142669 ) on Friday December 14, 2018 @02:20PM (#57804618)

    This just seems like novice mistakes. Passwords should NEVER be stored. There is never a need to store a password at any time. If it's not stored then there is minimal chance of exposing the password. I think the newbies to programming don't know this, and they think that they have to compare the password typed in to a stored password, which is wrong. The first step is to make a secure hash of the password, and the second step is to clear the password from memory. Of course that's not all you need to do, but if you don't use those two steps then it means the implementer doesn't understand security. If a password is ever in a database then someone has screwed up.

"Facts are stupid things." -- President Ronald Reagan (a blooper from his speeach at the '88 GOP convention)

Working...