The Wordfence Threat Intelligence team unpacked the security updates in WordPress 5.4.1, and they published quite a few blog posts about vulnerabilities in popular plugins like Ninja Forms, LearnPress, and the Real-Time Find and Replace plugin. These plugin vulnerabilities affected over one million WordPress sites. As a few of these were Cross Site Request Forgery vulnerabilities, so we take a look at how these attacks work and how to avoid becoming a victim to a malicious CSRF request.
We also look at more scams targeting COVID-19 fears and stimulus funds, and Google’s upcoming crackdown on Chrome extensions set to happen in August 2020. We also look at the privacy concerns expressed by many in the information security field about contact tracing initiatives by various companies including Google and Apple as well as governmental agencies.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:18 Unpacking The 7 Vulnerabilities Fixed in Today’s WordPress 5.4.1 Security Update.
1:18 High severity vulnerability patched in Ninja Forms.
3:55 High severity vulnerabilities patched in LearnPress.
4:34 High severity vulnerability patched in Real-Time Find and Replace Plugin.
5:56 What is a Cross Site Request Forgery (CSRF) attack?
8:48 Coronavirus stimulus scams are here. How to identify these new online and text attacks.
10:07 Google announces Chrome Web Store Crackdown set for August 2020.
11:21 Security experts warn: Don’t let contact-tracing app lead to surveillance, while Australians download their app over 1 million times, echoing concerns from the CBP data breach from 2019.
Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.
Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.
Episode 75 Transcript
Hello, my WordPress friends, and welcome to episode 75 of Think Like a Hacker, the podcast about WordPress, security and innovation. We have a lot to dive into with WordPress and security news, so let’s get started.
Our first story is about WordPress version 5.4.1 that was released on Wednesday afternoon, at least afternoon in the United States. Ram Gall on the Wordfence Threat Intelligence team spent some time digging into the vulnerabilities that were patched in WordPress 5.4.1. He found seven total vulnerabilities that were patched, five of which were Cross Site Scripting. All of the vulnerabilities looked to be exploitable in certain situations only. Ram put out a blog post that we will link to in the show notes that will tell you more about those vulnerabilities if you want to dig further. This should be a pretty easy update, and if your site is set to autoupdate WordPress, you likely have already received these patches and bug fixes, making your WordPress install even safer.
Next up we have a number of plugins with vulnerabilities that were reported in the last week.
First up, Ninja Forms. Now Ninja Forms is one of the most popular plugins for getting forms activated on your WordPress site. It is installed on over one million WordPress sites worldwide. Ram Gall found a Cross Site Request Forgery to Cross Site Scripting vulnerability. So Ninja Forms has been around for a while, so it has a legacy mode, which allows users to revert styling and features to those of the plugin’s 2.9 version. As a part of this feature, it adds several Ajax functions, which appear to be intended to import forms and fields between legacy mode and default mode. So all of these functions use capability checks, so they’re checking to see whether or not the user that’s using that function has the rights or the capabilities in order to use it.
But two of the functions failed to check nonces, which are used to verify that the request was intentionally set by a legitimate user, so this opens up that plugin for a Cross Site Request Forgery. And then that Cross Site Request Forgery could be used for Cross Site Scripting, injecting malicious content that could affect users of the WordPress site. Now the great thing about Ninja Forms is that they have a vulnerability disclosure form on their site, so it makes it incredibly easy for security researchers to get in touch with the plugin development team and report vulnerabilities that may be discovered.
Our Threat Intelligence team is always looking for possible attack vectors, ways that attackers can get into WordPress. So when we find a plugin developer that has an easy way to get in touch with them, it means that plugin vulnerability is going to be patched much faster because we’re not trying to find appropriate channels to communicate with those plugin developers. A lot of plugin developers don’t have a security inbox set up with an actual proof that we’re talking to that plugin developer, and not just reporting security vulnerability to perhaps a malicious attacker that then might use that. So it’s always good if you are a plugin developer, to ensure that you have a vulnerability disclosure form or process elucidated on your website, so security researchers can get in touch with you.
So this blog post has a link to information, basically, first of all, showing you how Ninja Forms is doing it and also something from Hacker One talking about the importance of vulnerability disclosure policy on your website.
Next up, LearnPress. LearnPress is a learning management plugin installed on over 80,000 WordPress sites. Ram Gall also discovered high severity vulnerabilities in LearnPress and worked with that developer to ensure that those are fixed. Those two vulnerabilities include a privilege escalation vulnerability, as well as a post creation and modification vulnerability. Wordfence Premium and free users are currently protected from exploitation of those vulnerabilities, but still ensure that you are patched to the latest version of LearnPress if you are using that.
Next up, a vulnerability discovered by Chloe Chamberland. This is a Cross Site Request Forgery to stored Cross Site Scripting vulnerability found in the Real-Time Find and Replace plugin. This is installed on over 100,000 WordPress sites. This is a nifty plugin; I didn’t realize that it existed. And I can think of about 100 ways to use it, so realtime find and replace provides functionality so that you can dynamically replace HTML content basically on the fly with new content, so you’re to permanently changing source content within the database or within a plugin. That replacement data just basically loads before it’s delivered to the user’s browser, so hence the “real-time” find and replace.
Chloe found this Cross Site Request Forgery flaw that allowed stored Cross Site Scripting. It’s been fully patched in version 4.0.2, so make sure that you update to the latest version that is available if you are using this nifty plugin. One great thing about this vulnerability is that if you’re using Wordfence, whether you’re using the premium version or the free version, Wordfence is protecting you from any exploitation here because our built in Cross Site Scripting firewall rule was sufficient to block any exploitation here.
So a few of the vulnerabilities we’ve discussed today have been Cross Site Request Forgery vulnerabilities. And I thought it might be interesting to look a little deeper about what a Cross Site Request Forgery actually is. So from the Open Web Application Security Project, which basically defines the types of vulnerabilities that exist, and they have an incredibly — if you’re into information security — they have a great website where you can learn a lot more about the types of vulnerabilities and different exploits. So Cross Site Request Forgery, this is what they say, “It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.”
So what does that mean to you, the website owner? This means that an exploitation of a vulnerability cannot happen without an attacker doing something to trick you into performing some kind of action. Now how would an attacker do this? Well, let’s think about some of the ways an attacker might communicate with you. If you have chat set up on your site, they could send you a message via chat that was specifically crafted that would take advantage of a vulnerability that might exist on your site. They could send you an email, again, with a specific link that if you clicked on that link, it would perform an action that if you were authenticated into your WordPress administrative dashboard, would take over your site, or post malicious content in a form that ends up then posting it to the front end of your website.
So these are targeted kinds of attacks. An attacker would have to know that you have a vulnerability on your site. This isn’t something that’s just going to be blindly hit by a bunch of bots. Now a bot or a spam mailer might send you a link that you may then click on that was specifically crafted, and hoping that you were authenticated, would get into your WordPress administrative dashboard, and then perform some kind of of malicious action.
So now that we know that these types of vulnerabilities can only be exploited when you are clicking on a link, what does this tell you? If you are a WordPress administrator, it’s really important to take a look at anything that might’ve been submitted by an anonymous site visitor, a comment in your comments on your WordPress dashboard, something within a chat, something within your email. And be very suspicious of any links that are inbound. And of course, use a firewall. And ensure all of your plugins and your themes and your WordPress core are all updated, and Cross Site Request Forgery is a lot less dangerous.
Next up, a story from CNET about coronavirus stimulus scams are starting to show up. These scams are showing up in various ways that are preying on unsuspecting and vulnerable people, so things like donating to a charity online, donating to charities through social media, contributing to crowdfunding campaigns, even purchasing products online, or giving personal information in any way that has promised you any kind of money or benefits in any way related to coronavirus. These warnings are coming from the FBI, so look out for any kinds of scams that are preying on your emotions.
In this article, they also quote Trustwave, which stated that 33% of all data breach incidents were the result of phishing or social engineering attacks. Now these are attacks on the human in the equation, much like a Cross Site Request Forgery attack. It requires a human to be vulnerable, so most of security again is education. Educate yourself. Educate others. Make sure that you are aware of the types of frauds that exist and guard your assets.
Next up, an article from ZDNet. Google states that in August of 2020, they are going to basically purge useless Chrome extensions from the web store. Google says that because of Chrome’s success as a top browser platform, they’re seeing an influx of spammers and fraudsters. I always like to report on these stories as a reminder to go into all of your browser extensions and look for anything that looks like it doesn’t belong there, or looks like something that you aren’t using anymore. Just like you need to protect your WordPress site from plugins with vulnerabilities, it’s really important to protect your browsers from any kind of malicious actions. The Google Chrome story currently has over 200,000 extensions, so use your extensions very carefully. They are a part of your browser, so if you’re browsing to your bank accounts, if you’re browsing to any kind of social media, anything that you’re typing into that browser session can be captured as a part of just being resident in your browser.
Our final story today was reported in ZDNet on April 29th. And security experts in the UK are warning the government there to not let coronavirus contact tracing applications lead to surveillance. More than 170 researchers in the UK working in information security and privacy signed a joint statement about their concerns over the NHS, the National Health System’s plans to use a contact tracing app to help contain the coronavirus outbreak.
Of course, in the United States, Google and Apple are working together on a joint initiative for Android and iOS devices using Bluetooth. You’ll need to download an app in order to participate in this. Now the NHS and the government in the UK rejected the joint approach put forth by Apple and Google to help trace the spread of the virus. And they are going to have their own separate tool in the UK.
The BBC has reported that Australia’s COVIDSafe contact tracing app already has over a million downloads. Australian Prime Minister Scott Morrison, has said that social restriction could be eased if enough people start using this app. So that government says that 40% of the population need to download it before they can start easing social restrictions.
So obviously, I work in tech, and I know that technology can solve a lot of problems. And I agree that public health is a huge problem. But I also work in security, and so I will be a little controversial here. Obviously, there are a lot of people who are looking forward to these types of contact tracing apps to slow the spread of a highly contagious disease. Privacy and security is incredibly important to all of us, and it’s been really heartening to see so many governmental organizations, including the EU, coming up with GDPR to safeguard people’s personal information, same thing in California and Nevada.
And working in security, if you’ve listened to this podcast even once, you’ve heard of vulnerabilities. And you’ve heard about numerous instances when there has been a data breach. Even though in Australia, for example, there are privacy concerns. And the government said that only state health authorities would qualify for access to the data that may be collected by the COVIDSafe contact tracing app. Sounds great, right? They are going to protect the privacy of any data that may be collected by some of these contact tracing apps. Sounds great. Well, as a cautionary tale, I just wanted to remind everyone of the story that we covered in podcast episode 21, where CBP, the border patrol basically said that traveler photos and license plate data images were stolen in a data breach.
This data was stolen through a malicious cyber attack that was reported in TechCrunch in June of 2019. So even those these contact tracing apps have the best of intentions to protect your privacy, malicious attacks and breaches happen. We report about them all the time. Assume that they’re going to happen. So just the fact that our government is going to aggregate further information about our movements, and these tech giants like Apple and Google are going to be doing so as well, it will behoove them to protect our privacy. Or we need to find additional ways to opt out of that kind of surveillance.
I don’t think that COVID is going to go away any time soon. And I don’t think the changes in privacy are going to go away any time soon either. And unfortunately, data breaches and malicious attacks are not going to go away either. I grew up in Illinois, Northern Illinois. And there are tollways everywhere. And when I was a little kid, and they’d start building a new road, and they’d put it in as a tollway, I remember my parents talking when I was little, and talking about these tolls and how they were being collected in order to pay for the road, and that the tolls would go away once the road was paid for.
Well, if you’ve ever driven through Northern Illinois, the tolls never went anywhere. Those funds were re-appropriated, and found new homes. Maybe they’re paying for schools or whatever, but the promise of those things going away never happened. And I think the same thing is going to happen with these contact tracing types of applications. Even if COVID ends up being less of a threat sometime in the future, I think these types of contact tracing apps will continue to exist, and they’ll find additional reasons for them.
I just find it’s a very slippery slope and very interesting. And this is my controversial podcast for, so far for 2020, I’ve been pretty tame, but here we go again. They’re always doing something, aren’t they?
So that’s all we have for you this week on Think Like a Hacker, the podcast about WordPress, security, and innovation. Follow us on Twitter at @Wordfence, and follow me at @KathyZant. Follow my boss at @mmaunder because he’s always got something interesting and gets a little controversial himself sometimes.
We are doing Wordfence office hours every Tuesday at 9:00 AM. We are moving over to YouTube for those instead of Zoom. Well, we’re still going to use Zoom to broadcast to YouTube. We’re finding the best technologies that are working for us, so we’d love to have you join us over there. We’re doing it every Tuesday, 9:00 AM Pacific, noon on the East Coast of the United States.
Thanks for listening to Think Like a Hacker, and we’ll talk to you next week.