Episode 80: Critical File Upload Vulnerability in wpDiscuz Plugin

In this week’s news, our Threat Intelligence team discovered a vulnerability in the wpDiscuz plugin, affecting over 80,000 WordPress sites. A blind SQL injection attack affected analytics service Waydev, exposing OAuth tokens for GitHub repositories for software companies, leading to further breaches. A debate about problematic admin notices on the WordPress admin dashboard has many wondering how to best solve the issue, while WordCamps move to all virtual in 2020. And finally, Garmin’s ransomware attack takes down more than step counting.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:13 Critical file upload vulnerability patched in wpDiscuz plugin
1:46 Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev
4:04 Are Plugin Authors to Blame for the Poor Admin Notices Experience?
5:30 WordPress to Stick with Online-Only Meetups and WordCamps
6:27 Garmin falls victim to major ransomware hack

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 80 Transcript

Scott Miller:
Hey guys. It’s Scott from Wordfence. This is Think Like a Hacker, the weekly podcast about WordPress, security and innovation. Let’s get right into this week’s stories.

Our first story is about a vulnerability discovered by our threat intelligence team with the wpDiscuz plugin. The wpDiscuz plugin is designed to allow WordPress site owners to easily add unique comment experiences to their site. This popular plugin, which is installed on over 80,000 sites, had a vulnerability added to a recent update that allowed unauthenticated users with the ability to upload arbitrary files. The update was meant to add image uploads for commenters, but it introduced a vulnerability in allowing anyone to upload files, including PHP files. After reaching out to the wpDiscuz team, the vulnerability was then patched in the latest version, which was released on July 23rd.

Now this is a critical vulnerability that can lead to a site takeover. So be sure if you’re running this plugin, you update to the latest version. Luckily, if you have Wordfence installed, free or premium, then you’re already protected from this type of vulnerability. Now, this also brings up a Wordfence feature that disables code execution in the uploads directory. So if you don’t have a need for execution of files in your uploads directory, then you’re probably going to want to take a look at enabling that in Wordfence. You can read more about this story on the official wordfence.com blog, and the link will be in the show notes. Chloe Chamberland, who discovered this vulnerability, will be demonstrating how this could be exploited on the next Wordfence office hours. So you’re going to want to check that out on August 4th, and we do that at noon Eastern time live on YouTube.

Next up, Waydev has reported a security breach that happened earlier this month. In that attack, both GitHub and GitLab OAuth tokens were stolen from their internal database, leading to exposure of code base stored by many companies in GitHub repositories. Waydev is an analytics platform used by software companies. Hackers gained access by using a blind SQL injection vulnerability, and Waydev was able to patch the vulnerability the same day it was exploited, but not before companies such as dave.com, flood.io, and some others were already exposed. So security analysts at GitHub discovered this breach after a customer had contacted them.

Waydev has been very transparent in the days following this breach and they’ve released IP addresses, email addresses, and user agent strings in order to give the customers some indication of compromise to determine if potentially an attacker has breached their repositories. Luckily, only a small part of their user database was accessed. However, the hackers used these tokens to gain access to other companies’ code bases and were able to see their source code projects.

Dave.com was part of a major data breach where 7.5 million user records were leaked by a single hacker known as ShinyHunters. The breach involved a total of 18 different sites, where a total of 386 million users’ information was auctioned off before being posted for free on a hacker forum. Waydev has released a list of measures that their users should follow to ensure their information is safe. The first is checking for suspicious activity in your GitHub and GitLab accounts, and then going through your code base and changing any passwords and keys. They also recommend enabling a WAF web firewall. We’ve got links to the full articles about these intrusions in the show notes on wordfence.com/podcast. If you’re using any kind of tool that has access to your code, remember that giving access shouldn’t be done lightly. So always remember that you’re at the whim of their security when you grant access. Definitely something to consider, and it’s always a good point to sporadically audit your OAuth security.

WP Tavern had a recent article discussing plugin admin notices, and whether plugin authors or the lack of a notification system in WordPress is to blame for the current notification layout. We’ve all seen these. If you’re an admin on a WordPress site and notices can stack up and take a lot of real estate up quite quickly. It was argued that laying the blame on plugin authors is not particularly fair. WordPress co-creator and CEO of Automattic, Matt Mullenweg, chimed in saying, “I don’t think a notification center is the solution to this problem. It may be useful for other reasons, but not that one.” Now, plugin authors aren’t totally free from blame and have been known to use admin notices for unnecessary items, such as holiday ads or asking their users for five star reviews. There’s currently no solution within WordPress Core for the problem of admin notice fatigue, and yet solving the issue can only really be done in WordPress Core.

The article on WP Tavern has some thoughts about how this could be solved, but it will take some time before a balance between important notices that need a site owner’s attention and an overabundance of these pesky reminders is actually found, and even then, it’s likely to not satisfy everyone. We’d also like to hear your thoughts on these admin notices and the admin notice fatigues. Go ahead and drop a comment on the podcast here and let us know what you think.

Just recently, the WordPress community team has officially announced that word camps will be online only for the remainder of 2020. Now this isn’t a huge surprise, as the remaining scheduled camps were already set to be virtual. Wordfence has also recently gone virtual to keep in touch and talk security with the weekly live stream Wordfence office hours, where we help you get more out of Wordfence and improve your security knowledge. You can check us out on YouTube live on Tuesdays at noon Eastern time. If you missed it this past week, we showed you how to perform a security audit on your own WordPress site. A security audit is always a good thing to consider and perform in order to find potential problems on your site before an attacker does. So next week, we’re going to be diving into exploiting vulnerable plugins, and if you can’t make it, that’s okay because all of our office hours episodes are available to watch on our YouTube channel.

Our last story of the day involves the major ransomware attack on Garmin. The attack left both their fitness tracking and pilot navigation systems offline and has taken almost a week to get everything back up. Garmin posted a brief press release on their site that assures customers that there is no indication that customer data was accessed, lost or stolen. The ransomware known as Wasted Locker was operated by a group known as Evil Corp, a Russian criminal hacking group. Both FlyGarmin and GarminPilot were affected, forcing a plane to be grounded.

Another major concern is that fitness data can essentially be considered personally identifiable information and used to identify someone. Fitness tracking inadvertently keeps track of where your fitness activity takes place, and thus, this can be used to determine where you live. Any company like Garmin that tracks movement and also is so vulnerable to a major intrusion such as this is alarming, given the immense range of products that people rely on. We’ve got some links to an article about the Garmin hack and the show notes. So definitely check those out as it gives you some things to consider.

We hope you enjoyed this episode, so tune in next week to get your weekly dose of security news and make sure to follow us on social media. We use Wordfence on Twitter, Facebook, Instagram, and you can do a search to find us on YouTube as well, where we have office hours every week on Tuesdays at noon Eastern, 9 Pacific time. Thanks again for listening and we’ll see you next week on Think Like a Hacker.

Please give us a like or give us a review on Apple podcasts.

Also, subscribe to the official Wordfence YouTube channel where we host Wordfence Office Hours on Tuesdays as well as post important proof of concept videos.