Pipdig's peculiarities
April 1, 2019 7:19 AM   Subscribe

There was function in an older version of the plugin

we just removed the code you noticed

which could be used to reset a site back to the default settings.

which could kill your site

This function had no risk of of malicious or unintentional use.

we pinky-swear we only used it intentionally, and apparently our servers are literally 100% hack-proof, so no worries
posted by BungaDunga at 7:34 AM on April 1 [4 favorites]

Pipdig Power Pack contains malicious code

Just to be clear here, this is not code inserted by a third party, this is code that was deliberately added by Pipdig to attack competitors and their customers.
posted by 1970s Antihero at 7:35 AM on April 1 [2 favorites]

Plugin security is a huge problem with WordPress because the average WP site requires TWO THOUSAND MILLION plugins to get the design and functionality you desire. Add a bloated theme - preferably from ThemeForest where all dysfunctional themes hang out - and congrats on spending your days playing admin whac-a-mole instead of doing actual work.

I was really hoping that the WP devs would focus on creating a flexible high quality theme so that people didn't have to turn to 3rd party plugins and themes to get even the most basic sites started, but instead we got another poorly designed yearly theme and Gutenberg.
posted by Foci for Analysis at 7:51 AM on April 1 [6 favorites]

> code that was deliberately added by Pipdig to attack competitors and their customers

This seems like an extremely uncharitable way to phrase it; it sounds like they put in a reset mechanism as a way to specifically stop someone from using it to distribute malware in pirated versions. Calling those people "competitors" is pretty, uh, generous. Setting aside the piracy angle (which is not insignificant), if they're using it as a vector for injecting malware they're cybercriminals. It's really just a pity that Pipdig's code wasn't able to, I dunno, physically set their houses on fire.

The only issue I can see with what they did is that it wasn't closely-tailored enough; they probably should have restricted distribution of the reset-switch-enabled version so it didn't go to any legitimate customers (and perhaps they did, it sounds like it was only available for a limited amount of time while they were taking down the blackhats).

It also seems like there is a trolling / propaganda war going on, which is consistent with someone who has pissed off some unsavory individuals. I mean, that's sort of the standard MO for the low-grade (not quite script-kiddie but not iOS-zero-day Russian mafia, either) shithead community. They love to go after people with trolling / death threats / SWATing / etc. when they get technical pushback. So I would be very cautious, and would probably tend to give some weight to the company being attacked, in this instance. It's easy for any jackass to start screaming on a messageboard / Twitter account about how awful a company is, particularly if they're a basement-dwelling shitstain whose income stream has just gotten cut off.
posted by Kadin2048 at 8:02 AM on April 1 [4 favorites]

But yeah, in general I'd agree that Wordpress has the architecture of a dumpster fire and I can't understand why anyone in 2019 uses it. It's the goddamn Ford Pinto of CMSs, if Ford had kept manufacturing the Pinto for 15+ years and also if there was a whole ecosystem of people selling aftermarket parts for it.

tl;dr friends don't let friends use Wordpress.
posted by Kadin2048 at 8:08 AM on April 1 [5 favorites]

Given the way the WordPress theme/plugin ecosystem works, I'm surprised we don't see more of these stories. When one installs a theme or plugin, one is deploying straight-up executable PHP code with full access to everything on the site. There is little (if any) effort to audit these add-ons for security problems. And the codebase is often sprawling, spread among many files in deep directory structures, making it tricky to assess everything the developers have decided to deploy. And plugins can be updated often, so even a carefully inspected add-on might later get an unsavory payload. All of this leaves a ton of room for malicious code and/or security holes.

Over the past ~15 years I've worked with lots of WordPress sites, and it's interesting to monitor the attempts to exploit plugin/theme vulnerabilities. Log files on WordPress sites usually show thousands upon thousands of pings from automated scripts probing for various PHP files in the /plugins and /themes directories. Each of those pings represents a plugin or theme with an intentional or accidental security hole that has been discovered.

A few years back there was a nasty security hole in an image resizing library called "Timthumb"; the Timthumb devs fixed the vulnerability when it was bought to light, but then every plugin that included it had to be updated, and some plugins had been abandoned, or just neglected, and it was all quite a mess.

I like stories.
posted by Hot Pastrami! at 8:10 AM on April 1 [5 favorites]

The attacks on competitors thing is also a reference to this (from the Wordfence link):

It is unclear at this time why Pipdig was directing sites with their plugin to send these requests to a third party site. It’s also not obvious why one of the requests falsely reports the User-Agent of the request.

The sites in question were those of pipdig's competitors. That's a DDOS
posted by thatwhichfalls at 8:11 AM on April 1 [3 favorites]

Oh, and the requests were scheduled hourly and used a randomized, obfuscated URL each time.
posted by thatwhichfalls at 8:13 AM on April 1 [2 favorites]

This seems like an extremely uncharitable way to phrase it; it sounds like they put in a reset mechanism as a way to specifically stop someone from using it to distribute malware in pirated versions.

The DDOS and password-resets-in-a-cronjob part of this mess suggests otherwise. That sure doesn't look like an "insufficiently tailored" thing, and the followup article mentions that the pipdig code pulls down a list of competitors' URLs for currently-unclear reasons.
posted by mhoye at 8:13 AM on April 1 [5 favorites]

Someone used bad PHP, bad web design and good marketing to dupe a bunch of trusting blog users into making the web a worse place.
It's like the early 2000's have returned!
posted by thatwhichfalls at 8:29 AM on April 1 [4 favorites]

I saw this over the weekend and holy shit there is some evil code in there.

Their plugin disables a laundry list of other plugins. The best is where it disables one hosting company’s optimization plugin, then pops up an alert suggesting that if your host is slow, why not try Pipdig’s?

And there’s the part where it hits a few Pipdig-controlled URLs every hour, and if it finds your site in there, then it can reset your site password or *delete your entire Wordpress database*. Hope you’ve got backups!

kaldin2048 > I can’t understand why anyone in 2019 uses [Wordpress]

I moved to Wordpress in late 2011 and have most of a decade’s worth of data in it, plus multiple custom themes for my comics. Moving all of that to a new system would be a fuckton of work; I’d rather spend my time drawing new comics pages than rebuilding infrastructure I got working well a decade ago, and I don’t have the money to pay someone else to do it for me either. I don’t even want to spend the time to survey the five zillion CMSs out there and winnow it down to three or four candidates to switch to. So that’s my reasons to be using it in 2019.
posted by egypturnash at 8:34 AM on April 1 [14 favorites]

I'm a bit surprised Pipdid didn't take advantage of the date and claim it was all an April Fools' day joke.
posted by suetanvil at 8:41 AM on April 1

I use WordPress because it does what I need, I am small time, and because I just use it for blogging and content (my own) tracking and I do regular backups that I test, it's sufficient.

I don't want to spend hours on selecting and configuring and using yet another fucking platform to do the same job.
posted by kalessin at 8:43 AM on April 1 [5 favorites]

Also: This plugin can be used to generate static sites with WordPress, making the site much faster and much harder to hack.

(Disclaimer: not a WordPress user; I never use a CMS I didn't write.)
posted by suetanvil at 8:49 AM on April 1 [1 favorite]

The only issue I can see with what they did is that it wasn't closely-tailored enough;

I can sort of go with a story about putting remote control nukes in your code as a way of dealing with someone you don’t like, but when you a) try to obfuscate said code, b) attack the people who point it out, and c) attempt to erase the fact that it ever existed from your repository then we have a problem.

C) in particular is worrisome. "Yes, we had dicey code in there. Whoops. We’ve removed it and won’t do that again." would be much more reassuring than publishing a new version for apparently no reason and wiping out your repository history.
posted by Tell Me No Lies at 9:05 AM on April 1 [3 favorites]

(This is true, but only because I like writing CMS software more than I like blogging.)
posted by suetanvil at 9:05 AM on April 1 [2 favorites]

I disagree that Wordpress needs tons of plugins to make it functional. If you are designing and developing your own themes you really don’t need any plugins and reliance on plugins is just asking for trouble. One of my big issues with theme hosts is that many intentionally obfuscate their code to make customizing anything near impossible. Seriously, using basic Wordpress code it’s possible to develope a ground-up site in a few hours and I say this as a designer, not a developer.
posted by misterpatrick at 9:28 AM on April 1 [2 favorites]

we have silently removed
an obscured function
that was in the
older plugin

which you probably
did not know
allowed us to get
your admin credentials

Forgive us
for ddosing a competitor and disabling other plugins and suggesting ours as a solution for the problem we caused
and being able to wipe your WP site and emailing your admin password around in clear text and rewriting pages to change links for particular products to our own sites and pretending like nothing was wrong with any of that
it was delicious
posted by "mad dan" eccles at 9:35 AM on April 1 [15 favorites]

Kadin2048, what else would you recommend though?

Not sure what else is out there and featureful and well supported.

I personally use a neat piece of blogging software called Known but it's kinda niche. I'd be curious if there were any other good things out there.

I know that a popular alternative is "just run a static site generator!" but not everybody wants to worry about where they're storing the magical pile of text files which can be turned into a site by opening a terminal, typing a command, and then uploading the lot.
posted by edheil at 9:38 AM on April 1

I don't know anything about this, but this bit from the Pipdig front man's response post seems awfully telling:

The information about us was published on a Friday night, which is a classic journalistic technique since it is assumed a company can’t defend itself until Monday.

Always a good sign when people want to whine about The Media using a Friday publication date, though usually they're whining that people are doing that to bury a story, but then he follows immediately with

The information was initially published in closed Facebook groups, where we have no ability to defend ourselves or supporters

Wait, was this journalism, or was this a walled garden? Dude, please.

I am grateful for the MeFi community's assessment of WordPress, though. I'm needing to make a professional page for the job market and a lot of folks do use WordPress.
posted by Made of Star Stuff at 10:19 AM on April 1

Keep in mind you can pay the Wordpress company for hosting; there are also some simple free plans. Which is about the only way I'd choose to use it. There's no way I'd choose to keep up on WP security/plug-ins on my own time. That's just nuts.
posted by seanmpuckett at 10:27 AM on April 1

I'd agree that Wordpress has the architecture of a dumpster fire and I can't understand why anyone in 2019 uses it.

It is, still, as far as I know one of the easiest CMS platforms to get working and has a ton of momentum behind it. A lot of folks have stood up sites using WordPress and moving to new platforms - cleanly, with URLs and graphics and embeds and everything else intact - is non-trivial.

It has momentum for new adopters, and inertia for people who've already adopted it.

I have two sites on WordPress. I'm in the process of using the static site plugin to export them and just leave that content as-is. I haven't found a new platform I really want to use and may wind up just editing HTML with Vim and saying to hell with it for new content... all the supposedly easy static site generators are a PITA to set up with dependencies and such if you're not on their target platforms (e.g., a mac or Ubuntu).
posted by jzb at 10:29 AM on April 1 [2 favorites]

Just to make it clear: I use WP every single day across a half a dozen installations. I shit on it because it has some major flaws but honestly there's nothing even close to it on the market.
posted by Foci for Analysis at 10:35 AM on April 1

It's been years since I've worked in WordPress but it's still a perfectly fine platform. Just keep your dependence on third party code to a minimum. That includes plugins and themes, both.

Sure, this restricts your design and feature options. But honestly, I don't see a lot of point any more to extensive blog customization. Users prefer it when layouts are simple and recognizable, when graphics are minimal and limited on illustrative elements. Opening your site to comments turns your blogging from something you do when you feel like it to a part-time career mandating eternal vigilance and borderline paranoia. Keep things clean and lean; it's not just an esthetic choice, it's for your mental health.

As for myself, though, I don't think I'd spin up another active hosted blog. All the server automation was primarily for two purposes: Active link compilation (so that every page on your site can have timely updated navigation) and comments management. Something that compiles behind a wall and throws up static pages is the way to go now, since blog commenting is poison and links only have to be updated when you have something new to say. Sooner or later there will be something Wordpress-level easy for you to run yourself.
posted by ardgedee at 10:37 AM on April 1

Kadin2048, did you look at the code snippets published along with the security analyses? I don't code PHP (or at least I haven't since, I dunno, 2002-ish?), but it's pretty obvious to me what most of the code does, and it's not what the Pipdig developer's blog post claims it does. The code they claim is a "reset mechanism" for restoring the site to its factory defaults does nothing of the sort; instead it deletes all data, including content. The competitor targeted by the DDOS attack does not appear to have any relationship to the supposed "cybercriminals" that Pipdig claims they were dealing with. Pipdig implies in their post that the DDOS'ed URL may be due to a misconfiguration on their user's installation, but the code makes it clear that's nonsense. That URL is retrieved hourly from a text file hosted on Pipdig's own servers. There's also (relatively weak) obfuscations of hard-coded URLs apparent throughout the cited code.

This isn't a question of anti-malware code not being closely-tailored enough. This is about code that looks pretty much like malware itself, and the head of the company acting super dodgy and dissembling when getting called out on it.

I'd take a closer look at the security blogs and Jem Jabella's twitter thread if I were you. In my opinion, none of it bears much resemblance to your characterization of this being probable trolling or a propaganda war.
posted by biogeo at 10:40 AM on April 1 [4 favorites]

This is the greatest sentence from Pipdig's response:
There is a function in the plugin which can be used to clear database tables, much like a backup or standard reset plugin.
Describing a function that wipes your database as "much like a backup" is... *chef kiss*
posted by skymt at 10:52 AM on April 1 [9 favorites]

My favorite part of the response is how it dances around these "functions" being triggerable at-will, remotely, by Pipdig itself. It's like describing a keylogger as "a function that transfers your data to a cloud provider, much like a backup"
posted by BungaDunga at 11:36 AM on April 1 [2 favorites]

Hm, yeah something fishy is going on with Pipdig, I guess. I looked at the code but admittedly only quickly, and I thought the random-URL DDOS-ish thing was the code that was being injected by the alleged pirates who were giving the stuff away, i.e. it was part of the malware that was being distributed, not Pipdig's code itself. That's... no bueno.

I still think that skepticism is advised whenever someone may have kicked over a blackhat hornet's nest, but in this case nobody really looks good the more you dig into it. Weird.

Anyway, on the general Wordpress front, I migrated off of it a few years back and now use Jekyll as my go-to platform for basic sites. There is an official WP to Jekyll importer (that's for self-hosted Wordpress; for Wordpress.com there's a different tool). There's also a different migration path that uses a Wordpress plugin to export content into the format used by Jekyll. (I went Wordpress to Blosxom to Jekyll so I can't comment on any of those paths from personal experience. They seem reasonable, though.)

I prefer Jekyll for several reasons: one, it's a static site generator rather than a dynamic CMS, so it's much cheaper to operate (doesn't require a database, uses whatever HTML server you want, bare-ass cheap hosting is fine); two, it's more secure—there's no executable code being run on the server in response to page requests (aside from the web server itself), and thus no avenue for code injection, which is the basis of most Wordpress issues; third, its architecture works very well with modern version-control systems and CI systems. Each post is just a Markdown-formatted text file on the filesystem. You can collaborate and give multiple users rights to add content to the site by using the version control system's access control mechanisms—you effectively outsource all the hard security-focused stuff to GitHub / GitLab / Bitbucket / whatever, separate from the site/server security. There are web frontends for content creation as well, if having your authors use a text editor just will not fly, although I've had mixed results with them.

TBH if I was clean-slating things today I'd probably use Hugo, which is written in Go instead of Ruby, but they accomplish much the same task. (There are basically similar tools in every programming language; Pelican is written in Python and also imports from Wordpress; Blosxom used to be popular and is written in Perl, etc. etc. Swear to god, invent a new programming language and ten minutes later someone will build a static site generator with it. Sometimes people devise programming languages just to build the damn things.)

All that said... Jekyll/Hugo/Pelican all have templating capabilities, and markets—not unlike Wordpress'—exist where you can find free and commercial templates. It's entirely possible, though I haven't heard of it happening, for someone to create a malicious template that, if you just blindly downloaded it and loaded it in, could inject some nasty scripts or something into the finished pages. It's less likely (I can't think of a way for it) to give them control over the server itself or priv-escalate unless the webserver is badly configured, but someone certainly could deface a page, inject ads, or conduct a DDOS that way.

There are cases where dynamic CMSs are still required, but the vast majority of Wordpress installations seem to be for things where a static site could work just as well and would be much lower maintenance. YMMV.
posted by Kadin2048 at 11:45 AM on April 1 [5 favorites]

nobody really looks good the more you dig into it.
I don't think anybody looks bad here except Pipdig.
posted by edheil at 12:03 PM on April 1 [4 favorites]

"...in this case nobody really looks good the more you dig into it."

I'm curious as to how you came to this conclusion.
posted by Floydd at 12:07 PM on April 1 [2 favorites]

I host a (heavily customized) WordPress site, and have made my own WordPress plugins and customized other peoples' to work with my site.

I had a look at the code snippets described, and I can confidently say the following:

• This code was intended for malicious purposes.
• Pipdig is lying about the intended use of the code they added in their response. (On the slight, miniscule, remote, unlikely possibility they're telling the truth, then they are so incompetent it verges into lawsuit-for-gross-negligence territory. But they're probably just lying.)
• What Pipdig did is, for want of a better word, evil.
posted by Quackles at 12:37 PM on April 1 [4 favorites]

Not sure what else is out there and featureful and well supported.

I'm still a fan of Drupal, which seems to have pretty good security monitoring and updates, plus loads of functionality.
posted by kristi at 1:40 PM on April 1 [3 favorites]

Well, Pipdig doesn't look good, certainly. Their excuse did seem plausible on first blush but doesn't hold water once you see the code (and get beyond the mistake that I initially made, which was assuming the malicious code had been inserted into a version distributed by someone else, which is a pretty frequent thing).

Jem Jabella's analysis is good.

IMO, Wordpress as an ecosystem comes off looking pretty iffy; if their target market at this point is mostly nontechnical users looking for a turnkey/no-code CMS, i.e. competing with Wix, Squarespace, etc., maybe Wordpress (the backing organization) needs to create guiderails to nudge users away from buying plugins from rando 3rd-party developers in preference to an official store or something. Particularly since the plugin ecosystem for WP is one of the selling points of the platform in general. It's nice that they've created this whole cottage industry of developers, but on the other hand they've created a low-barrier way to get people who don't know better to run your code on their server. Pipdig's excuse was plausible because, well, it happens.

I'm a little curious what the origin of the beef was with Kotryna Bass Design, but obviously at this point Pipdig doesn't have much credibility, so maybe we'll never know.
posted by Kadin2048 at 1:43 PM on April 1 [1 favorite]

The "whoops, this URL on our site caused our software to DDoS one of our competitors" story just as easily could have been "whoops, this URL on our site caused our software to delete everything on one of our customer's blogs."
posted by zsazsa at 2:20 PM on April 1

Wordfence threat analyst Mikey Veenstra responds to pipdig's response: a Twitter thread: "There's a response from @pipdig on the recent news! Only there's some issues with it. Follow along with me!"
posted by nicebookrack at 6:03 PM on April 1 [3 favorites]

The response post certainly does seem very reasonable... I wonder if Phil actually believes it? (Cue next blog post "I was seriously misled by one of our employees, who in a misguided attempt to promote us inserted this code without authorization").

Amusingly the newly sanitized repo contains further cleanup. Time for a new new repo?
posted by russm at 8:33 PM on April 1 [1 favorite]

> ...maybe Wordpress (the backing organization) needs to create guiderails to nudge users away from buying plugins from rando 3rd-party developers in preference to an official store or something.

Wordpress has had official plugins and themes stores for well over a decade, with formal specifications including GPL licensing for everything they host. At the moment, the main problem is their allowance of freemium wares, so the bulk of the plugins will throw up nagging banners on the admin console or watermark the public-facing site unless the user pays money. And that particular design pattern, of course, has led to ever-escalating code wars to protect the plugin from people who are only interested in the minimal features of the freeware version and would rather not have the sidebar of every page say "ROCKET BOOSTED BY WADNARD SUPER-SEO SPECIAL PLUGIN LITE!"
posted by ardgedee at 2:32 AM on April 2 [1 favorite]

I really just don't get WordPress. You would think that after several zero-day exploits, people would come to the conclusion that there is something inherently wrong with the platform, and that maybe they should migrate to something simpler and more secure? Is this because of the sunk cost fallacy?
posted by 1970s Antihero at 10:40 AM on April 2

Here's an update from Wordfence, with more evidence from Pipdig's version control repositories of bad behavior and trying to hide bad behavior. And it appears their blogger templates are doing similar DDOS attacks.
posted by jjwiseman at 1:20 PM on April 2

The DDoS attacks in the templates are particularly blatant evidence that the folks at Pipdig are scum. There’s no explaining those away.
posted by Tell Me No Lies at 11:26 AM on April 3

This is classic 21st century Evil Scum logic:
"We find it very convenient that a competitor is heavily mentioned throughout the article, and even includes a backlink to their website."

The competitor is "heavily mentioned" because they've been the target of the DDoS attacks in the templates generated by these vile oscillatoria.
posted by Floydd at 10:38 AM on April 4 [1 favorite]

I had to look up oscillatoria and I have to say you're being a little harsh on the little creatures.
Long, thin, motile cyanobacteria! With an emergency back up anaerobic photosynthesis system!
Pipdig would be lucky to be so cool. Or last so long.
posted by thatwhichfalls at 12:24 PM on April 4 [2 favorites]

« Older 令和時代   |   Housing policy is climate policy (but it's bigger... Newer »

This thread has been archived and is closed to new comments