Episode 88: XCloner Vulnerabilities, LokiBot Malware, & a 14 Year Old Nets a $25K Bug Bounty
Our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. These vulnerabilities could have allowed an attacker to modify arbitrary files, including PHP files.
The US government Cybersecurity and Infrastructure Security Agency is warning of detected persistent malicious activity traced back to LokiBot infections.
An upcoming API change will break Facebook and Instagram oEmbed links across the web beginning October 24. Google has launched the Web Stories for WordPress plugin with a drag-and-drop, WYSIWYG interface for making full-screen, tappable content.
Drupal patches a critical reflected XSS vulnerability. And a critical stored XSS vulnerability in Instagram’s Spark AR Studio nets a 14-year-old researcher $25,000.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Critical Vulnerabilities Patched in XCloner Backup and Restore Plugin
2:01 CISA warns of notable increase in LokiBot malware
3:05 Upcoming API Change Will Break Facebook and Instagram oEmbed Links Across the Web Beginning October 24
4:08 Drupal patches critical reflected XSS bug and other security flaws
5:25 Google launches Web Stories for WordPress plugin and ‘Web Creators’ community
6:08 Critical stored XSS vulnerability in Instagram’s Spark AR Studio nets 14-year-old researcher $25,000
Episode 88 Transcript
Hey, everyone. It’s Scott from Wordfence. You’re listening to Think Like a Hacker, the weekly podcast about WordPress, security, and innovation. Let’s jump into this week’s stories.
Our first story this week takes a look at the critical vulnerabilities patched in the XCloner Backup and Restore plugin. On August 14th, our Threat Intel team here at Wordfence found multiple vulnerabilities in the XCloner Backup and Restore plugin, which is installed on over 30,000 sites. The plugin is designed to provide WordPress users with easily customizable backups and easy restore functionality. The vulnerability that our Threat Intel team found allowed authenticated attackers with subscriber-level or above capabilities the ability to modify arbitrary files, such as PHP files. These capabilities could allow an attacker to achieve remote code execution, as well as other malicious access. The plugin also contained multiple other endpoints that were vulnerable to Cross-Site Request Forgery or CSRF.
After finding the vulnerabilities on August 14th, we reached out to the plugin’s team on the 17th, and shortly later was able to disclose the details of the issue to their team the next day, on the 18th. The team behind the XCloner Backup and Restore plugin quickly released an initial fix on August 19th, which resolved the most severe issue. An additional patch was released on September 8th to resolve the remaining issues that we had discovered.
Wordfence Premium users received a firewall rule on August 17th to protect against any exploits targeting these vulnerabilities. Sites using the free version of Wordfence received the same protection on September 17th. These issues are considered critical security issues as they could lead to remote code execution on a vulnerable site’s server. We recommend updating to the fully patched version, which is 4.2.153, immediately if you haven’t already.
In our next story, the CISA warns of notable increase in LokiBot malware. The Cybersecurity and Infrastructure Security Agency, or CISA, issued an advisory warning of an increase in the use of LokiBot malware by malicious actors. LokiBot is a widespread Trojan and so-called information stealer, and since July, we’ve seen an increase in attacks. Once the malware is on your device, it uses its capabilities to check applications and exfiltrate information and credentials from applications. LokiBot also has backdoor capabilities, which can allow attackers to perform additional malicious tasks. The CISA developed a snort signature for use in detecting network activity, which would be associated with LokiBot, and that can be found on the CISA.gov site. Be sure you’re maintaining up-to-date antivirus signatures and an up-to-date operating system as well to combat this.
In our third story this week, upcoming API changes will break Facebook and Instagram oEmbed links across the web. In an upcoming change on October 24th, Facebook and Instagram will be removing unauthenticated oEmbed support causing issues for content across millions of websites. Users will then be required to generate an app ID with a dev account in order to proceed in embedding links via oEmbed. As a response, WordPress will also be removing Facebook as an oEmbed provider in an upcoming release. This is also expected to cause issues with a great deal of content. In the Gutenberg plugin, Facebook and Instagram blocks were removed in a recent release. Current oEmbed links will continue to function until the Facebook API changes go live.
This is undoubtedly going to frustrate users when they run into issues and can no longer embed Facebook and Instagram links as easily as they were in the past. Additionally, these changes are going to challenge publishers going forward and how they share media links in their content.
Up next, Drupal patches a critical reflected cross-site scripting bug and some other security flaws. The popular open-source content management system Drupal has recently patched a XSS or cross-site scripting vulnerability as well as some less severe issues. These issues could allow an attacker the ability to leverage the way that HTML is rendered for affected forms in order to exploit the cross-site scripting vulnerability, according to a recent statement by Drupal.
This was deemed as a critical issue, and Drupal, which powers nearly 600,000 sites, patched this issue alongside four others which were classified to be moderately critical. Security patches were added into software updates issued on September 16th. All of the mentioned flaws here impact the Drupal 8 and 9 release lines. If you’re currently running Drupal 8.8.9 or 8.7.9 or an earlier version, it’s recommended to upgrade to Drupal 8.8.10. Versions 8.9.5 and older require an update to 8.9.6, and versions 9.0.5 and older are recommended to update to 9.0.6.
Moving on to some good news, Google has launched a Web Stories for WordPress plugin. The Web Stories for WordPress plugin will feature a drag and drop easy-to-use interface built for making full-screen interactable content. Included with the Web Stories for WordPress plugin are some templates, as well as a photo library and free stock video from Coverr. The plugin features advanced customization tools as well as comprehensive visual editing capabilities. The plugin is open-source, so there will be more templates and community content added going forward. The plugin looks to potentially be a great way to engage with your audience on your site.
In our last story for this week, Andres Alonso, a 14-year-old researcher, cashed in on a $25,000 bug bounty after discovering a critical cross-site scripting vulnerability in Instagram’s Spark AR Studio. Instagram’s Spark AR Studio is used to create augmented reality effects for photos and videos. Alonso said that he wasn’t hunting for vulnerabilities, but instead, he was making Instagram filters for himself. Alonso was exploring how Spark AR generates the filter links to test the filter on a smartphone when he ran into a flaw, prompting him to unsuccessfully attempt cross-site scripting, but eventually led to a successful open redirect. Once submitted to Facebook, their security team further investigated the flaw and found that it could be escalated to cross-site scripting. Facebook then notified Alonso that he would be awarded the $25,000 for the bounty and also confirmed that the vulnerability was not exploited in the wild.
That’s all for this week on Think Like a Hacker. I hope the news found you well. Check out the Wordfence mailing list on wordfence.com to stay up to date with the latest security news. In the meantime, have a great weekend. Thanks for listening. We’ll catch you soon.
Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.