Wordpress Plugins Security Flaw – A Blackhats Dream

by rishil on April 8, 2011

Part of understanding Blackhat and Hacker Spam is to put yourself it their mindset. And that means asking “How Can I Use This For My Benefit?”

Well I have been doing a lot of that lately. And one of the genius ideas that I had was full site takeovers. Then I toned it down. And then I thought of smartening it up. And then I thought of scaling it. The result? Well using a simple flaw in Wordpress Plugins, and some clever strategy, I could sit back and game 100,000’s of relevant links to my sites, and control them all from one place.

Do This and Face Some Jailtime

Do This and Face Some Jailtime (source http://www.flickr.com/photos/morganmorgan)

NOTE: This idea is theoretical, and I HAVE NOT actually developed it any further than having a conversation with a few people, including Joost de Valk, regarding the possibility. All my research indicates, and Yoast confirms it, that it is indeed possible to create something this devilish.  There are other versions, of this idea floating around, which I will cover as well.

Side Note: This is HIGHLY Illegal. Don’t freaking do it.  In fact I am doing blackhat a disservice, this is downright Exploit and Hacking.

Wordpress Plugin Spamming

While back Yoast warned about a really dodgy SEO plugin being pimped out called Blogpress SEO Plugin. He found that amongst other devious things:

Next to that, the plugin is kind of enough to add a link back to itself on your blog’s homepage, in a hidden div of course, because that’s how smart people roll, right? Luckily, that makes it even easier for Google to find all the sites running the plugin and ban them all in one big sweep.

That is the level of control that you could unleash when you install a third party plug-in to your site.

Wordpress Plugins Background Reminder

There are a few things to remember:

  • Apart from basic security checks and looking for dodgy programming scripts such as the use of Base 64, not much else is done in the way of security checks.
  • Wordpress plugins that are not hosted on worpress plugin depository, aren’t put through ANY paces, this includes “Free” and “Paid” plugins.
  • There isn’t a verification program for plugins for legitimacy and safety, and anything you install is at your own risk.
  • Just because you have used a plugin for years, doesn’t mean that a new update is automatically safe to install.
  • Once a plugin is installed, It can do ANYTHING to your site. Remember the Blogpress SEO example above.

The Concept – Control A Link Inventory

Link To Me! (source http://www.flickr.com/photos/hoyvinmayvin/4116728906/)

Link To Me! (source http://www.flickr.com/photos/hoyvinmayvin/4116728906/)

So I questioned myself on what I wanted to do. Here I am talking to myself:

  • What we want: Links
  • What type of Links: Thematic, fresh, blog links.
  • Are they detectible? Probably, and am guessing easily.
  • Boo. So what else do we want? Loads of Thematic 301 redirects.
  • Are they detectible? Probably, not too easy to spot all the time, but still.
  • Crap, so what else can I use that isn’t detectible? Rel Canonical.  Simple command, looks fine to the user, but means a lot to search engines. Users hardly check their code once it’s live as long as page behaves normally.

Note: I have intentionally added a massive flaw to this methodology to trip up people who do ass hat SEO. Learn all search engine directives, what they were meant to do, and what they are capable off. I refuse to elaborate anymore, except that the method I am highlighting is very limited in its effect if you haven’t got a clue what I am talking about in this note.

WP Plugin Exploit – The Theory

If I can create a Wordpress Plugin that is really popular, and gets installed on thousands of sites, then by simply inserting a backend piece of code, I can control anything on their site.

How do I promote the Plugin?

Easy. Run PPC Ads. Get it ranking in SEO. Pay people to install it, pay bloggers to review it. Make it a really cool plug-in.

What if I can’t get it installed on loads of sites?

Run a search of the Wordpress Plugin Directory. Find old plugins no longer updated.  Select those that have high installs. Offer to buy from original Author. Boom.

The Tool:

Wordpress  Security Flaw Plugin Dashboard

Wordpress Security Flaw Plugin Dashboard

So above is my theoretical tool management centre.  What does it do?

  • Lists all sites that have the plugin installed
  • Lets me pick which site I want to build links for
  • Finds all tag pages that aren’t blocked by meta robot or robots.txt per site
  • Themes the site by looking at over all keyword density.
  • Lets you pick all the tag pages you want by selection
  • Highlights when the last post under that tag was
  • Let you either pick a rel Canon or a 301 destination for that page.
  • One button push :)

The result could be devastation on all the poor unsuspecting blog owners, or may not even register on their radar! All you are doing is manipulating their tag pages… If you rel Canon them, most blog owners won’t even know anything is wrong except they may lose traffic to their tag pages from the SERPs.

Why Target Tag Pages?

Unlike ordinary category and actual post pages, I have found that these are the least monitored WP pages. Also, for people who love tagging, you can end up with hundreds of variations, hence more pages per site. And apart from those people who have either decent SEO knowledge, or a decent SEO Plugin, tag pages are often left open to search engines.

However this exploit can be used for any part of the site, including actual post page as well as the site home!

Devious Security Flaw

Security Flaw - Everyone Has One.

Security Flaw - Everyone Has One.

Is this a flaw? Yes. Can it happen to you? Yes.

Wordpress or at least people passionate about it need to find a way to work on verification of plugins and maybe create a “Trust Worthy” verification for plugin release.  Till then, I will rely on my network of people such as Yoast, or freelancer WP Plug-in devs or my Birmingham based Development team who I have worked with for years to test and check anything I install on my sites.

Other Potential Uses Of This Loophole

  • Injecting Malware.
  • Cookie Stuffing.
  • Webmaster Tools Takeover.
  • Sale hijacks.
  • Password and Login Hijacks.

Get your Plug-in Reviewed!

Wordpress Condom - Source: http://www.flickr.com/photos/nbachiyski/1463351154/

Wordpress Condom - Source: http://www.flickr.com/photos/nbachiyski/1463351154/

Don’t install any old crap you find on the internet.  Check it. If you suspect a dodgy plugin, contact Yoast who will run a Wordpress Plugin Review.

There are many exploits for sites, see this article for instance (by Kristine Schachinger).

Share and Enjoy:
  • Twitter
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • FriendFeed
  • Sphinn
  • LinkedIn
  • PDF
  • StumbleUpon
  • Suggest to Techmeme via Twitter
  • Yahoo! Buzz

Rishi Lakhani is an independent Online Marketing Consultant specialising in SEO, PPC, Affiliate Marketing and Social Media. Explicitly.Me is his Blog. Google Profile

{ 25 comments… read them below or add one }

Paul Madden April 8, 2011 at 1:19 pm

Alternative angle…

Find a plugin that is already well installed all over and not updated.
Register a domain to suit
Pretend to be the new author having bought the plugin and offer an updated version

Updated version can do all the above

Erm its like yours but without the PPC cost :)

Reply

Sam April 8, 2011 at 1:22 pm

More great/clever research here. Nothing to add as this is thoroughly outside of my wheel house but to say “thank you” sincerely for intentionally putting a massive flaw in the methodology. I love testing things as much as the next guy and trying to recreate some of the things you’ve tried but I think there is a certain line across which should not be crossed unless you know EXACTLY what you’re doing and I think this would certainly be an example of that.

Cheers and keep the good stuff coming (though slow down a bit cause you’re making the rest of us look bad :-p).

Reply

Alex Moss April 8, 2011 at 1:22 pm

Great post. Plugin development is a good way of getting links if it’s popular enough. I have 2 plugins that have backlinks to my site. The first is optional and the second isn’t. I think it’s legitimate to ask for a link back in exchange for a free plugin. There’s room to make it “pro” to remove the link but I don’t do that.

It also works for organic rankings too. I’m on page 1 for “Twitter Feed” and moving between page 1 and 2 for “Facebook Comments”. If someone wants it removed I’d be happy to do so in exchange for a donation. If someone is good enough with code then there’s no reason they can’t edit the plugin to remove the link. If they do so, in my opinion, they’ve earned the right to remove it!

Reply

adamSEO April 8, 2011 at 1:39 pm

Finding older plugins looks quite easy: site:wordpress.org inurl:”stats”

Scrape ‘Last Updated’, ‘Today’, ‘Yesterday’, ‘Last Week’ and ‘All Time’ values and a little sorting in Excel. Bob’s your uncle!

Reply

Sebastian April 8, 2011 at 1:53 pm

Of course that works. Considering the amount of RSS scrapers out there, fucking with links in feeds alone would sneakily gain you some assets (who looks at links in the own feed?).

As a matter of fact, using plug-ins if you’re not a savvy PHP programmer is way too risky. Of course that realization takes the fun out of the whole WP concept, does it? It’s unruled openness is its worse flaw, besides shitty code guidelines that don’t count as poetry (I usually refer to WP [template/plug-in] code as abortive spaghetti-code in an anabiotic code monkey’s dumpster.

End of rant. Seriously, how can you dare to scare the shit out of bazillions of innocent as well as ignorant Web publishers? Shame on you!

Reply

Pete April 8, 2011 at 2:04 pm

Dave told me to comment. So I’m commenting.

Pimp.

Reply

Rhys April 8, 2011 at 2:06 pm

Completely agree with the wordpress.org lack of security. I had a case a while back when a guy copied my plugin (email capture), but with every capture it emailed the plugin author with the email address, adding it to his spam list!

If the silly bastard wasn’t daft & branded his plugin “Better than WP Email Capture!” I’d not have found it

Reply

Justin Parks April 8, 2011 at 2:11 pm

If you cant develop, or you havent paid for the development (opensource!!) then you should expect there to be open doors in the plugins you use. The only solutions are.
1. Learn to do it all absolutely perfectly yourself (aye right)
2. Pay someone else to do number 1.

You could also help these plguins to be better by donating alot more to the developers. Its cheaper and if they can make a decent living out of it then they can focus on it. Otherwise, well, you pretty much covered it all in your post mate!

(@davenaylor suggested/demanded we leave a comment.) Taaa Daaa! I aim to please.

Reply

Jason Duke April 8, 2011 at 2:13 pm

I like this WP plugin, seems popularish yet not updated for a few months.
Do you think they’ll sell to me for say $100?

http://bit.ly/hxCc2O @rishil

Reply

LordManley April 8, 2011 at 2:31 pm

Of course, you could end up in prison if you are not careful about it – The Computer Misuse Act 1990 and all that.

Reply

Paul Madden April 8, 2011 at 2:51 pm

@lordmanley – you and your sensible advice!

Yes you could, please append theory only to my previous comment…

Reply

Marc April 8, 2011 at 3:28 pm

Most people who run wordpress sites don’t second guess their plugins unless it crashes their site or just plain messes up the design. Other than that, forgive the pun, but it’s plug-n-play. Out of site out of mind.

What do you recommend wordpress admins do to protect themselves against these loopholes? Wordpress bloggers don’t have QA departments :)

Reply

Ben Hamment April 8, 2011 at 4:09 pm

good post

“Get 100K backlinks, Get caught, Go to jail ”
No need to create a plugin; exploit-db.com/search/?action=search&filter_page=1&filter_description=wordpress&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

get the POC and automate using shodan

Not that I condone or encourage it.

Reply

Brent Terrazas April 8, 2011 at 5:36 pm

The best is when they then go and appear as guest bloggers on all the wordpress and design sites touting the “top 5 wordpress plugins you can’t live without’… of course theirs being one of them… I still see it (promised already i wouldn’t show the link after joking with Rishi on twitter about it)..
And no it’s not me.. i don’t need to embed exploits in my plugins to rank well ;P
-b

Reply

Jack April 8, 2011 at 5:44 pm

It’s what I tell everybody about the WordPress idea – “If it sounds too good to be true, it probably is and also will make good fodder for some hackers doing exploits”

Reply

Aussiewebmaster April 8, 2011 at 10:19 pm

Give away all my secrets – thanks mate

Reply

Roie April 10, 2011 at 11:32 am

It’s the same concept as torrents and hacked software being bundled with viruses and trojans to hijack PC’s of unsuspecting down-loaders eagerly awaiting to use the next MS or Adobe software for free… these days, anything offered free should come with a warning label on it.

Reply

Rick April 11, 2011 at 5:06 pm

Scary stuff…you always presume Wordpress is flaw free.

Reply

Liam Kenneth April 12, 2011 at 6:44 am

Interesting Article :)

Reply

Derek Jansen April 12, 2011 at 1:49 pm

Thanks for revealing this topic – while I’ve always been aware of the SEO spam abuse element, but the hacking element was ignored.

Reply

roey April 16, 2011 at 5:28 pm

thank you for this greay post. what about joomla plugins?
should i be worried as well?

Reply

rishil April 18, 2011 at 8:17 am

yes you should. See my next post…

Reply

Otto April 18, 2011 at 4:49 pm

For what it’s worth, while the wordpress.org plugin repository isn’t reviewed or monitored for bad plugins, we do have a very low tolerance for that sort of thing.

If you find a plugin doing “bad” things (with a very liberal definition of “bad”), then emailing plugins@wordpress.org about it will get it looked at, possibly updated to remove the bad stuff from any existing installs (if there are any), as well as get the plugin developer burned and crucified on the “no-spammer” altar. Mark R (the plugins guy) has a very, very low tolerance and an unforgiving nature about that sort of thing.

We can’t control what plugins are released elsewhere, but we do have complete control over what’s on wordpress.org and will take whatever steps are necessary to remove spammy BS.

A plugin reviewer team would be nice, but it’s a big, big job if you sit down and think about it. We’re only just now getting into stride with the theme reviewer system, implementing a plugin review system is an order of magnitude more difficult.

Reply

rishil April 18, 2011 at 5:10 pm

Hey Otto, thanks for dropping by. Rest assured, anything dodgy we find will get to you guys ;)
I just wanted to highlight that stuff like this does and can happen.

Reply

Paul Anthony August 21, 2011 at 5:38 pm

Rishil,

I think Donncha has a security plugin – sweeps your code looking for Base64 and other various nasties.

http://ocaoimh.ie/exploit-scanner/

Well worth a look

Paul.

Reply

Leave a Comment

Previous post: Content Spinning : Article Spinning

Next post: What We Learnt From a Pills Link Hacker