Don’t just pay attention to the man behind the curtain, tear the curtain down and burn it. That’s been the general sentiment among the InfoSec community on Twitter this past week in the wake of the discovery of multiple vulnerabilities intentionally built into the popular pipdig Power Pack (P3) plugin. I could easily write 3,000 words digging into the code, but that’s been covered incredibly well already by other researchers. Instead, I’m going to focus more on the effects of this situation, and on how we as a security-minded community can make a difference going forward.
Last week, two security researchers, were independently looking into similar issues that were becoming apparent in the P3 plugin. These researchers were expecting to find a vulnerability within the plugin, or even evidence that malicious code had been injected by adversaries. However, they were surprised to find that the plugin itself included malicious code without having been compromised. Built into the plugin was the ability for pipdig to change the password of any site user, a remote wipe function to delete the full contents of the website, a function that disabled Bluehost caching, and even some code that appeared to attack a competitor of pipdig, among other potentially malicious functions.
After concerns were brought to
The killswitch that
Who Can I Trust?
While some bloggers have actually spoken out in support of pipdig, the question of whether any theme or plugin developer can be trusted has also been brought up a lot in the past week. This is a valid question and not necessarily an easy one to answer. In all likelihood, pipdig didn’t start out with the intent to build backdoors into their customers’ websites, or to use those same sites to attack competitors. I firmly believe that the majority of theme and plugin developers are doing what they do because they see a problem and a solution. The issue of combating piracy is a common issue with premium plugin and theme developers. The issue with pipdig’s solution is that it effectively wipes all of the site content, rather than using the typical solution of disabling the theme or plugin if it is a pirated copy. Often when we see problems with themes or plugins, the problems are unintentional, or due to code that is not following the latest coding standards.
You should never blindly trust a developer to have influence over the code on your website. Just like when malware ends up on your website, code from a malicious developer can have disastrous effects on your website and its visitors. Now, taking a step back, don’t take that as a paranoid, “trust no one,” but more as “trust but verify.” Before you install anything, research the developer.
How Do I Research the Developer?
One of the simplest steps in researching theme and plugin developers is to head over to Google and search for reviews. Read their reviews on multiple sites, see what problems people have encountered with them, and learn how they handle complaints. Be wary of developers who have nothing but positive reviews, as this can be an indication that they have paid for reviews instead of acquiring them naturally from their customers.
If you see results indicating issues like we’ve seen with pipdig this week, it’s probably best to avoid the developer. You want a developer with a history of honesty, integrity, and preferably a refund policy. In the case of pipdig, there are plenty of customers who now have to find a new theme or plugin, and have no way to get their money back, because pipdig does not offer refunds for any reason.
Authored by Topher Tebow, SiteLock Web Security Research Analyst