Episode 92: WordPress Forced Security Autoupdate Protects Sites from Loginizer Vulnerability

An easily exploitable SQL injection vulnerability was discovered in the Loginizer plugin installed on over one million WordPress sites, causing the WordPress team to force an update to sites using the vulnerable version.

The Justice Department is filing antitrust suit against Google for allegedly monopolizing search and search advertising markets. Google Chrome gets an update to fix an actively exploited zero-day vulnerability. And a new feature in Jetpack allows users to post Tweetstorms through WordPress.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:47 Security researcher Slavco Mihajloski disclosed a severe vulnerability in the Loginizer plugin, causing WordPress to force updates to over 1 million sites
6:57 Justice department files antitrust suit against Google
10:14 Google Chrome update fixes actively exploited 0Day Vulnerability
12:14 Turn WordPress blog posts into Tweetstorms

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 92 Transcript

Kathy Zant:
Hello, and welcome to another edition of Think Like A Hacker. This is Episode 92. This is the podcast about WordPress, security, and innovation. I’m Kathy Zant, Director of Marketing here at Wordfence and my co-host…

Ram Gall:
Hi I’m Ram Gall, a QA Engineer and Threat Analyst here at Wordfence.

Kathy:
And star of Wordfence Live.

Ram:
I’m not the only star of Wordfence live. It takes all of us to make it possible.

Kathy:
It is very true, but you are one of the stars. So if you’re not catching Ram on Tuesdays at noon Eastern time and nine Pacific, you should be doing that because he’s definitely bringing all of the security knowledge every single week to the Wordfence Live program. But today we have some great stories for Think Like A Hacker. First of all, this Loginizer vulnerability. It looks like it was a SQL injection vulnerability. Ram, did you take a look at this?

Ram:
I did, actually. We did an assessment on that vulnerability and okay, so it was a lot more simple than you would expect. It was so incredibly basic, a single quote in a username. I’m kind of shocked that no one caught it for this long because literally if you had debugging enabled or visible errors enabled, anytime someone tried to log into your site using a single quote in the username, that would basically result in SQL injection.

Kathy:
Okay, so Slavco Mihajloski is the person who found this, he’s a security researcher. Can you basically walk through what SQL injection is, Ram?

Ram:
Sure. SQL injection is when a web application takes, say user information, and doesn’t sanitize it correctly before sticking it in the database. Again, the classic example of this is when you add a single quote to it and instead of saying, “Hey, I’m going to take this username and stick it in the user field in the database.” It says, “Oh hey, there’s a single quote, I guess the username’s done,” and then you can inject whatever commands you want after the username. And that’s literally what happened. And I’m again, shocked no one found it for forever because just basic testing would have shown those errors.

Kathy:
Right. Now I’ve always seen the semi-colon used as the interruption of a SQL statement and then the appending of another SQL statement to manipulate data in the database. How did this single quote work?

Ram:
Okay. So with semi-colons, you’re maybe thinking stacked queries? So the thing is PHP and MySQL don’t actually allow stacked queries. You will see a semi-colon and a couple dashes or something else to indicate that whatever the original query was, ignore the rest of the original query, pay attention to what the attacker’s inputting instead.

Kathy:
Got you. I learned something. Good to know. So this plugin was on, well, it is on over a million WordPress sites. So somewhere between one million and two million WordPress sites. And the WordPress repository team did something interesting here. What did they do, Ram?

Ram:
I don’t know if I’d call it unprecedented since apparently it’s happened maybe once or twice before, but they basically forced an update on all WordPress installations that they could, which according to our calculations from our user base, covered 97% of our users were updated to the patched version. And it’s a good thing too, because I mean, this was really easy to exploit and included things like the ability to inject stored cross-site scripting via SQL injection.

Ram:
I don’t know exactly how exfiltration would have worked on this since most of the actual use cases were using SQL injection to inject a malicious JavaScript, which would then be reflected out when an administrator went and took a look at the brute force logs. WordPress added a feature a while back to allow them to do emergency updates like this.

Kathy:
Yeah, and I don’t know where exactly that trigger point is where they decide, okay, we need to push this out versus when they don’t. In the article that was on ZDNet, Catalin Cimpanu had written about WordPress deploying this for security update and he talked to Ryan Dewhurst, who is a security researcher and a friend of ours who is involved with the WPScan project. And he stated that he had found a vulnerability in 2015 in Yoast SEO plugin, and they had pushed out a fix then, but in the entire time that I have been at Wordfence, I don’t remember a case that this has been done.

Kathy:
So it’s interesting that Loginizer, this vulnerability, the SQL injection vulnerability, caused them to want to push this out. And it’s great. It makes WordPress safer because that code is now pushed out to all of the users using that plugin. However, of course there’s concerns, privacy concerns, and who owns your site types of concerns. Do you want someone running a repository, someone outside of your organization, outside of your management of your particular site, deciding what code gets pushed to your site. Or what doesn’t, what do you think?

Ram:
I mean, here’s the thing. I definitely do trust the WordPress repo managers to the extent that I don’t expect them to intentionally push malicious code, but we do run into the issue where if there’s say a supply chain attack, and instead of pushing out a patch, someone manages to gain access to keys that allow them to push out a vulnerable or malicious version of something that does present a huge attack surface.

Ram:
But I mean, at the same time, it does come down to how much you trust whoever’s pushing the updates. Wordfence offers automatic updates, and we offered them before they even came into WordPress core, but we do let you turn that off if you want to.

Kathy:
Right, so it’s the end user, the end user of that software, The site owner decides to opt into that, whereas this, there was never any opting in necessarily.

Ram:
It’s definitely a problem that could be… There’s ways this could go wrong. And again, it just depends on how much you trust the people that run the WordPress repository. I mean, I trust them, but what if someone who has a lot of access gets their private key compromised. There might be better checks and balances in place than we’re aware of, as long as there’s no single point of failure, it’s probably okay.

Kathy:
Yeah. Well, this definitely underscores that software, especially in the open source community, is a relationship and a decision of trust. You’re trusting WordPress, you’re trusting the WordPress community, you’re trusting the plugin developers that you decide to use their code on your site. So it’s pretty interesting. Speaking of trust, what about some antitrust?

Ram:
Oh, I see what you did there. So it turns out that the DOJ has brought a lawsuit, an antitrust lawsuit, against Google, basically accusing them of behaving anti-competitively. And I’m not going to weigh in on too much opinion on that but Google is a dominant force in our world. You open up pretty much any device and it’s the default search engine unless you’re opening up Internet Explorer or Edge.

Kathy:
Right, or you’re making a decision to use something else.

Ram:
Which ironically, Internet Explorer was the subject of the last big antitrust lawsuit against Microsoft because they bundled it by default with every Windows installation and they were trying to become the defacto browser. And I mean, Google’s become the defacto search engine and in a lot of ways they’ve done that by partnering with… Even Apple who they’ve got a competitive relationship with when it comes to mobile devices, they still pay Apple to have Google be the default search engine on all their mobile devices.

Kathy:
Right. I mean, Google’s become the defacto solution for so many different software use cases. Your favorite YouTube channel is YouTube is owned by Google. Your docs, your documents, your spreadsheets, you may be using Google docs. I know a lot of organizations are deep into the Google ecosystem, so to speak. Gmail. Google’s just pretty much dominating so many different technology areas right now, but this is all about what they’re doing with search, isn’t it?

Ram:
The one thing about Google is that pretty much everything that they do is intended to be in service of their advertising business and a search is the primary driver of that.

Kathy:
It is.

Ram:
So it’s going to be really hard to tell what any potential consequences of this would be, even if the suit goes through, just because they are so big and so used by literally everything we do that prediction becomes impossible. I mean, traditionally what you were saying with AT&T when this happened, they broke them up into various regional bells, right?

Kathy:
Right. Yeah. There was Ameritech in the Midwest and I think Southeastern Bell and all of the different… It was Ma Bell and Baby Bells and they broke them all up and then what happened after that?

Ram:
Hey, I love Babybels. They’re the little cheese wheels. Those are great.

Ram:
They are. They’re quite delicious. We are a connoisseur of the Babybels here. But what ended up happening with those smaller regional telephone systems is that they started merging with other ones. I have one prediction about this antitrust action. One prediction that I know is going to come true. Lawyers are going to make a lot of money.

Ram:
There are two things that you can predict about the future apart from the traditional two of death and taxes. Number one is lawyers are going to make a lot of money. Number two is that the future is going to be weird.

Kathy:
I think 2020 has proven that quite well.

Ram:
Exactly.

Kathy:
Well, Google’s in the news as well with Google Chrome. What’s going on with this zero day?

Ram:
This was a zero day, which means that the security researcher who found it, let’s see what was his name? It was Google’s Project Zero’s Sergei Glazunov. So Google has a security research team called Project Zero, dedicated to hunting zero days and making sure they get patched as soon as possible, which incidentally explains why they were able to get it patched literally the day after they found out it was happening. But this was being exploited in the wild, and I guess it was a bug in a library called FreeType, which converts fonts to images and it was an overflow vulnerability, which meant that if you told the converter that you were trying to make an image bigger than it actually allowed, you could write whatever you wanted into nearby memory.

Ram:
I mean, memory corruption bugs, depending on the system layout, they can be really bad or only kind of bad and they can take either very little effort to get full remote code execution, or they can take a ton of effort to just do things like flip a bit here and there to disable security features. The fact that they were finding it exploited in the wild makes me think that it was likely being used for something bad.

Kathy:
Probably. And there were some other vulnerabilities that were patched in this update as well that looked pretty significant as well?

Ram:
Yeah, I believe they were all memory corruption bugs as well. There was one in Blink, which I don’t remember what that library is use for it. There was a use-after-free in some sort of media process and there was a use after free in PDFium. And oh man, Use After Frees, I do not want to get into those right now, so let’s not.

Kathy:
Okay, we won’t. Just if you are running Chrome, make sure that you are running the most recent version. If you just reboot Chrome, usually it will just patch itself if you have it set up to do so.

Kathy:
And then we have another story about how WordPress can now turn your blog post into a Tweet storm automatically. What did you read about this, Ram?

Ram:
I thought this was actually pretty cool. It looks like it’s a Jetpack feature. And basically, in the old days, content creators would have to write Tweet storms and blog posts separately, or write a blog post and then convert it to a Tweet storm or write a Tweet storm and then decide to convert it to a blog post. And I mean, let’s be fair, only a few thousand people are actually going to benefit from this initially. I am wondering if it’s going to automatically add a “Buckle Up!” To the beginning of the post.

Ram:
But I do see this being useful for content creators, just because it means that they can generate content in one place and have it go to multiple locations. I mean, it does add to the Jetpack trying to do everything.

Kathy:
Yes. The behemoth.

Ram:
Although, they are offloading a lot of that to software as a service stuff so that it’s not as heavy on the actual plugin side, but that does come with its own set of challenges. But I thought it was cool. I don’t know how many people are actually going to use it at first, but I’m probably going to read threads by people who use it.

Kathy:
Yeah, it’s interesting though, when I run into a Tweet storm, I’m always looking for Threaderapp so that I can read it just all in order. So we have WordPress, which is taking content and getting it ready for a Tweet storm and then we have other apps like Threaderapp that are pulling things out of Twitter and making it more legible and it just, I guess, goes to show what a testament to social media Twitter really is.

Ram:
Yeah, I’ve heard a lot of complaints about Threaderapp because it effectively monetizes the content creators content without their permission. So this does kind of offer a better alternative in that it puts control over monetization back in the content creators’ hands.

Kathy:
Yes, that is definitely a good point, and just shows you that everybody’s on Twitter. Everyone.

Ram:
Everyone.

Kathy:
Doing something or another.

Ram:
Yeah, including many people who don’t even exist.

Kathy:
True. True. And John298743659, who’s telling us everything he needs to know or we need to know about elections and what not.

Ram:
Everything.

Kathy:
Exactly. Well, it’ll be interesting to see how people use this and we’ll keep an eye on it. Thanks for joining me again on Think Like A Hacker, Ram. It’s great having you as co-host here. What is your Twitter handle if people want to see your Tweetstorms?

Ram:
My Twitter handle is @RamuelGall. I never do Tweetstorms. I am incredibly boring on Twitter. I’m just there to follow other hackers mostly.

Kathy:
Yeah, and to share all of your great research. So no buckling up.

Ram:
Not just mine. Whenever Chloe comes out with something, I share her research, too.

Kathy:
Yes, as do I. Chloe’s pretty amazing. As are you, you guys are so fun to work with. And you guys can follow me. @KathyZant, but it’s more fun to just follow Ram and Chloe because they’re doing all the really cool stuff. I just make you guys look good.

Ram:
I mean, you do a great job of that.

Kathy:
That’s all I do. So that was Think Like A Hacker for Episode 92. We will be back again next week to tell you everything that’s new in WordPress, security, and innovation. Follow us with your favorite podcasting application. You can also read us on the wordfence.com site /podcast. And we will see you again next week.

Ram:
Bye.

Follow Ram on Twitter @ramuelgall or Kathy @kathyzant. You can find Chloe Chamberland at @infosecchloe. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific. Next Tuesday on Wordfence Live, we’ll be talking about Secure WordPress Hosting: 7 Things Your Hosting Provider Must Do.