Plug ‘n Play’s Promiscuous Culture
The appeal of this is undeniable. WordPress is the choice of millions of small time bloggers and online opinionaters. But it also powers some of the Web’s most prominent sites, including TMZ.com, Mashable.com and TechCrunch.com.
So what’s the downside? Well, like anything else, the very popularity of these platforms makes them easy targets for malicious actors. Why while away your precious time trying to poke holes in some bespoke, custom content management system when finding an exploitable hole in a WordPress plugin might give you the keys to hundreds of thousands -even millions of sites that use that platform?
Back in 2011, for example, three popular WordPress plugins – AddThis, WPtouch and WP Total Cache) were found to have had malicious backdoors added to them, giving unknown attackers the ability to run malicious code on the same server running WordPress. WordPress’s team caught the changes and pulled the plug-ins, then encouraged all users to change their password and update their plugins.
As recently as December, W3 Total Cache, was in the news again, after it was discovered to be leaving cached web site content available for browsing using specially crafted search queries.
What gives? Well, in one sense: this is the price of convenience. Most WordPress plugins are offered free of charge and, often, you’re getting what you paid for. Even extremely popular plug-ins like W3 Total Cache might be written as a side project by a single developer working out of his or her home, not a fully staffed development shop with quality assurance, customer support and the like.
And, as with other online application marketplaces (Google Play, Apple’s AppStore), the sheer volume of plug-ins can make it difficult to do meaningful security audits on any one. There’s no security rating system that WordPress uses to differentiate plug-ins and no easy way to assess the underlying quality of any given plug-in – nor even whether it does what it is billed to.
In short, Caveat emptor is the word of the day in WordPress, as in so many other areas.
The question now is: in a market that’s characterized by free stuff that works, can you make a case for free stuff that works and that’s secure, also?
In a blog post yesterday, Veracode’s Fergal Glynn started that conversation by releasing SmartShare, a Veracode tool that’s a secure alternative to the ubiquitous social plug-ins that are used to allow blog readers to link posts they enjoy out to a wide range of social networks.
These kinds of tools are incredibly useful but, Glynn told me, often link blindly to a dizzying array of web properties and, as a result, can be vulnerable to manipulation or attack. The SmartShare plugin, in contrast, offers secure links to a limited range of reputable (but popular) social networking sites. It doesn’t do user tracking, its hosted locally and its code was audited thoroughly for security holes. Veracode is now offering the tool for free to the world along with other security tools: DNS checker and AdiOS – a tool for checking whether mobile apps are tapping into your personal information and contacts.
Of course, the problem of vulnerable applications and code re-use is bigger than buggy social sharing applications. But sounding the alarm about software vulnerabilities is only of so much value if vendors don’t respond. And vendors won’t respond if there’s not a safer, more secure place for concerned web publishers or web surfers to go to. This is a small step – but a step in the right direction.