Think Like a Hacker Episode 97
Wordfence Author
December 4, 2020

Episode 97: The Future of WordPress with PHP 8 and WordPress 5.6

With WordPress 5.6’s imminent release and the recent release of PHP 8, we talk about the rapid changes affecting the future of WordPress with new security features and new functionality available to both WordPress users and developers.

We also review a recent vulnerability found by Google Project Zero researchers in iPhones. A social engineering attack on GoDaddy targeted numerous cryptocurrency exchange sites, and what we can learn from these types of attacks.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:48 PHP 8: What WordPress Users Need to Know, Reddit discussion
7:13 Google researcher: I made this ‘magic’ iPhone Wi-Fi hack in my bedroom, imagine what others could do
10:33 GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services
15:43 WordPress 5.6 coming out on November 8; Wordfence Live WP 5.6 livestream

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 97 Transcript

Kathy Zant:
Welcome to Episode 97 of Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Kathy Zant, Director of Marketing here at Wordfence and I’m here with my cohost…

Ram Gall:
Ramuel Gall. Hi. I’m a QA Engineer and a Threat Analyst at Wordfence, and we are hiring so you should come work with us, especially if you’re into DevSecOps.

Kathy:
Definitely, if you are into DevSecOps, security operations, if you want to help us secure our systems, and you’re into Splunk and all of those other fun big network tools, we would love to hear from you. Head over to defiant.com, look for the employment tab and there is a description and an application. Come work with us, and we have all the best jokes.

Ram:
We do. The best. Jokes.

Kathy:
And a very fun team. First up, we have PHP 8. I think that dropped on Thanksgiving here in the US, didn’t it?

Ram:
November 26th, so I think a couple of days before maybe?

Kathy:
Did it? Okay so it was like a pre-Thanksgiving turkey appetizer.

Ram:
It was the cranberry. Wait, is cranberry sauce dessert? I never can tell. I always eat it first.

Kathy:
I always skip it, so I don’t even know. But that’s PHP 8 for me because I’m skipping PHP 8 and cranberry sauce for a while at least. You wrote a very popular blog post about this on wordfence.com telling WordPress users what they need to know about PHP 8. What’s the down-low on this?

Ram:
It’s going to break possibly a number of sites with a lot of old code on them. There’s a lot of functions that were deprecated, which means they can still be used technically, but it’ll throw a little notice saying, “Hey, you shouldn’t use this anymore because it’s going away,” in PHP 7 that are gone completely like the create_function, which turns out that 5,000 or so plugins are still using create_function, which is the bad news. The good news is a lot of malware uses that too, so that’s going to stop working.

Kathy:
Oh no.

Ram:
Oh no.

Kathy:
That’s so sad that the malware is going to stop working. So it sounds like PHP 8 is going to be very picky about, what is it types? Type juggling?

Ram:
Yes, in two different ways. Remaining functions are going to be pickier about the type of input they’ll take, especially like mixing and matching scalar versus other data types. You can’t pass in a string where it’s expecting an array or an object. That would throw a notice or warning before, but now it’ll throw an error. Basically it’s more or less every warning or error gets upgraded a level. Not every single one, but stuff that would show a notice in the past will show a warning, stuff that’ll show a warning will now throw an exception, and it’s not going to hide notices and deprecated warnings by default now.

Kathy:
So if somebody was putting input into a form and that input contained numbers and it was expecting letters or a string, would it throw a problem with that?

Ram:
Not entirely. It still does allow type juggling, so the types I was talking about more was scalar versus basically a single value versus data structures. You can’t give it a single value versus a data structure. PHP still does do type juggling, you can still do math and comparisons between integers and strings, but now it doesn’t do crazy, wacky stuff like it used to. In the past, you could do math between an integer and a string that just happened to have a number in it or a string that had no numbers at all and it would still work.

Ram:
That led to some weird stuff like people being able to bypass security checks and nonce checks and stuff. Nowadays, it’ll only do the math if the string that contains the number only contains a numeric representation of a string and white space. So you can check if six equals two, the string representation of six, that’ll work. You can add those if there’s spaces before or after the string representation, it’ll still work. But if six equals two, six ABC, that’s not going to work.

Kathy:
So it’s going to make things more secure, but there’s going to be, I think, a learning curve for a lot of developers to get used to this different way of doing things.

Ram:
Yeah. Pretty much with any ecosystem as large and varied as WordPress, there’s inevitably going to be some code that relies on it working incorrectly. Just because from personal experience, a lot of the time, once you get it working, you’re just like, “I’m not going to touch it anymore.” We do do testing to make sure that weird stuff doesn’t happen. But with any complex system there’s going to be code like that where even the developer, isn’t 100% sure why it works. I feel like that code is going to be hit particularly hard by this kind of thing.

Kathy:
Okay. So as WordPress users, if you’re not back in the code monkeying around and you’re using someone else’s code, have patience with them as they get up to speed on what PHP 8 is going to require. It might take some time before your site that relies on someone else’s code with all of these plugins that you have in your WordPress site is up to speed. So you’ll need to do some additional testing if you are wanting to take advantage of some of the additional features with PHP 8. What is this just-in-time? Is this like compilation?

Ram:
PHP is an interpreted language, but it translates stuff to machine code. What JIT or just-in-time compilation does is it actually keeps track of what machine code gets translated. If it spots a pattern where a machine code gets used repeatedly, it kind of optimizes for that so that it can be reused more easily. To some extent, the opcode caching already did something similar to that, but this happens at a lower level with the JIT.

Ram:
So the cool thing about this, you’re not going to see a lot of changes or a lot of performance improvements for the time being in web applications like WordPress. But basically, after Chrome’s V8 engine introduced JIT for JavaScript … Back then JavaScript script was just something you could use to do redirects and fill web forms … Now they’re doing things like building fully functioning computers in it. Windows 10 in JavaScript, or Windows 8 in JavaScript. This was unimaginable 10 years ago. And PHP, basically JIT compiling, allows things to happen a lot faster. Calculation, stuff like that. So PHP could be a lot more useful for maybe data science or something. A lot of stuff that you’d have to have a library installed on the server to do before you might be able to pull off, like fast cryptography, just in PHP.

Kathy:
Great. So long term, we’ll probably see some improvements in speed and performance with PHP, but probably not for a while.

Ram:
Correct.

Kathy:
Okay. Interesting.

Ram:
And that cryptography comment, I’m sure someone’s going to say, “But that could lead to side channel attacks,” and I maybe didn’t think it through, but maybe it could.

Kathy:
Got you. Okay. Well, speaking of attacks, it looks like there is a vulnerability or there was a vulnerability in the iPhone, and a Google Project Zero researcher found it. What do we see here?

Ram:
Project Zero researcher is Ian Beer. Project Zero is Google’s team that finds 0-day vulnerabilities and reports them. I guess this got fixed in May. But effectively what this guy did was found a buffer overflow vulnerability in a kernel module that was accessible via WiFi. It was actually via AWDL, which lets Apple devices mesh network. It lets them talk to each other without necessarily there being an access point. If you’re up-to-date on your iPhone or iOS device, then there’s no real need to worry. But if you’ve been holding it back on an older version and not applying security patches, like if you have it jailbroken, then this might be of concern to you.

Ram:
So what made this one interesting is that it was zero click. It didn’t require a really big or complex exploit chain. It did take him months to actually figure out how to make it work correctly, but it was wormable too, and it was just one guy. So this meant that anyone within WiFi range or even further with a high-gain antenna could take over an iPhone and then that iPhone could be used to take over other iPhones in a WiFi range. This guy reported it, it got patched, but that’s because he was part of a team where their whole thing is responsible disclosure. Some people might be researching these things and not responsibly disclosing them, but selling them to the highest bidder. Most of the time they’ll end up getting patched, but there might be a window between when it gets discovered and when it gets patched.

Kathy:
Basically as an iPhone user, all I can really take from this is just make sure that my phone is updated. But there could be vulnerabilities that I don’t even know about that my phone is vulnerable to right now.

Ram:
There could. I wouldn’t stress about it because most of the people that really have access to these are nation state actors, and they’re not going to be targeting you.

Kathy:
I had to get my tinfoil hat back on.

Ram:
It might be time to get the tinfoil hat. But yes, there is always going to be the possibility and a fairly strong possibility that at least one of your devices has a unpatched vulnerability for which a known exploit exists.

Kathy:
Right. And that’s just software, right? Our WordPress sites is just a collection of PHP files and MySQL database and password. Same thing, you just have to make sure that things are updated, that you’ve got backups and hope for the best. And don’t put terrible, embarrassing, horrible, sensitive things out on the web or on your phone.

Ram:
Watch for what permission stuff asks for, that kind of thing.

Kathy:
Exactly. Exactly. We might do a story soon about this app that I’m kind of watching right now that asks for some funky passwords. So maybe next week. Maybe that’s a little teaser. I have to show this to you it’s really … Listen next week.

Ram:
Okay, I’m curious.

Kathy:
Yes. I have to show it to you. It’s just crazy. Okay. Next up, we have a story about GoDaddy employees that seem to have fallen victim to a social engineering attack that was targeting multiple cryptocurrency services, actual trading platforms. What do you know about this, Ram?

Ram:
I guess they gained access to the DNS records of liquid.com, which is a cryptocurrency trading platform, which could be fairly bad because if you have access to DNS, you could swap it over to a malicious copy of the site and effectively phish people using the legitimate domain. Which that could be kind of bad, especially for a cryptocurrency trading platform where people are entering sensitive credentials that give them access to a lot of money, which can be sent, not untraceably, but sent without it being easily traceable.

Kathy:
And irrevocably. Once you transfer to cryptocurrency, it’s not like you can call the bank up and say, “I want my Bitcoin back.” It’s transferred. It’s gone.

Ram:
That is one of the few downsides of a decentralized platform.

Kathy:
Right, right. If you have your cryptocurrency on a platform like this, and it’s in one of the exchanges where you’re trading Bitcoin for Ethereum versus Basic Attention Token or all these other Altcoins, and you’re keeping money there on these exchanges, if one of the exchanges has a compromise, then your cryptocurrency that you’re keeping there is at risk as well. That happened quite a few years ago with the Mt. Gox hack, where a bunch of people who had cryptocurrency on that exchange lost it all.

Ram:
Yeah. I remember that. I think a few of the larger holders got reimbursed some of their holdings, but I’m not sure to what extent that actually ever ended up happening. This just kind of goes to show what a huge threat social engineering is. We’ve discussed SIM swapping attacks in the past where attackers will call up the phone company and socially engineer the customer service rep on the line into swapping your phone number over to a SIM card that they attack. And this is kind of analogous.

Ram:
If you call up GoDaddy, they’ll ask you for, I believe it’s this days, it’s a pin number you created, or the last, I want to say six or eight numbers of your card in order to verify that it’s you. If an attacker can figure out what pin number you are likely to have used, and they can keep calling back and trying a bunch of times until they get it right if they’ve got a small enough pool. But once an attacker has pin number, then the customer service rep’s going to be able to make some changes to your account on behalf of whoever is validated in with that pin number. A lot of changes that tier one rep might not be able to make might be able to be done by a supervisor if the social engineering is effective enough.

Kathy:
Sure. So this really does point to just like we’re telling people not to reuse passwords across multiple services, to not reuse pin numbers across multiple services as well. Your bank pin number versus your GoDaddy pin number versus your Verizon pin number. That you should be using different numbers across all of the different services. Because if you use a pin number, say for myfavoriteshoes.com … I don’t know if that’s an actual website … But a smaller website and you’re buying something and they want you to set up a pin number. Don’t use the same pin number everywhere because that can happen as well. You could have a breach happened at a smaller site and that kind of information end up on the dark web and then be used in some attack like this.

Kathy:
And then another thing that I notice with this is “all the eggs in one basket” type of thing. Your domain is so critically important to protect if your hosting and your domain and everything is at GoDaddy and that’s compromised, it sort of puts everything at risk, doesn’t it?

Ram:
It does. Previous attacks have managed to actually transfer domains out of an account into another account or to another registrar. The good news is those can sometimes be revoked or interrupted if it gets caught early enough, but that is tricky to deal with. But even just being able to temporarily change the DNS means that you could then go on to extract things like credentials from users of the service.

Ram:
You mentioned pin numbers, but a lot of these services will also use the last four of the social or the last six of a credit card. It’ll even work if you’ve got an old credit card on file, and that credit card was in a data breach, you’re probably not going to remove your old expired cards. You’re just going to add new ones to a service, but you can still authenticate with the expired card, which we’re in a data breach.

Kathy:
Mark says, our CEO Mark Maunder, says that your social security number is the password you’re never allowed to change.

Ram:
Social security number should be a username.

Kathy:
You’d think so. Throw some more things into the mix instead of just those those numbers, right?

Ram:
Yeah, exactly.

Kathy:
Now, we’ve got WordPress 5.6 is coming out on November 8th. I know we have a livestream on that same day that we’re going to focus on talking about what to expect in 5.6 because we’ve got some security items as well as some new features coming. What can we expect from the livestream? What’s some of the fun stuff we’re going to talk about?

Ram:
Well, we’re going to talk about how Gutenberg is gradually starting to become more usable.

Kathy:
Yes, it is. I think it’s getting there. Yes, I do. I’m on team Gutenberg. I kind of like it.

Ram:
I’m ambivalent.

Kathy:
Are you? Okay.

Ram:
I can learn to live with it if I need to, but I’m not going to embrace it as wholeheartedly. But I don’t hate it as much as I used to.

Kathy:
It’s gotten so much … I was using the Gutenberg plugin on a couple of sites just to see what was coming before it actually dropped into WordPress core. So I was kind of used to what was coming. But it’s now getting to the point in terms of functionality and usability where it’s becoming more of a page builder and a full site editor, kind of like what we’ve seen with like Divi or Elementor, where you have control over headers and footers and everything all within the editor. I think we’re going to start seeing some really interesting things with Gutenberg, and 5.6 is really showing us some new things with Gutenberg.

Ram:
It’s a lot more performant than a lot of page builders, too. It does have that going for it. It’s going to slow down your site less. It’s going to have a faster user experience. It’s going to give your customers a faster user experience.

Kathy:
Yeah. Especially with some of those metrics that we talked about Google adding to page speed and ranking factors coming up that we talked about on a previous episode. So 5.6 will definitely keep WordPress in the running for being a performant CMS as far as Google and the search engine result pages is concerned. What do we know about jQuery?

Ram:
So 5.5 disabled jQuery Migrate by default. jQuery Migrate is effectively something re-adds some jQuery 1.x functionality to newer versions of jQuery so that stuff that depends on it won’t break. It’s kind of intended as a way for developers to test and get ready to shift over anything they have that depends on older versions of jQuery. But the enabled jQuery Migrate helper plugin still has 200,000 installs. It literally says it’s supposed to be a temporary solution. So 5.6 is basically going to add a newer version of jQuery Migrate. 5.7 is when the real major changeover is going to happen where they’re just going to get rid of it entirely. But now is a really good time to, if you’re a plugin developer, to make sure that everything you’re using works with the newest version of jQuery instead of relying on the older versions.

Kathy:
And if you’re a WordPress user to check on your plugins to see if there are those that are relying on the older version that need to get updated, and put some pressure on your plugin developers to make sure that they are keeping with the times.

Ram:
Yes, this is honestly a lot more, I want to say urgent than the PHP 8 thing, because the timeline is much shorter.

Kathy:
It is, definitely. Because 5.6 isn’t even … What were they calling it? Beta ready for PHP 8, right?

Ram:
Yes. They still want you to use PHP 8 if you can. There’s no major issues that anyone can find, but that doesn’t mean that small stuff won’t pop up for a while, especially in your plugins. If you’re starting a new website from scratch on 5.6 and you don’t plan on using a lot of plugins right now, then yeah, try PHP 8 if you want to. If you’ve got a website that’s been around for a while and it’s got a lot of legacy dependencies, then you probably want to spend some dev and testing time to make sure it gets ready first.

Kathy:
5.6 also has application passwords for REST API points. You’re going to go into this much more in depth next week, right?

Ram:
We are. It could be good because it could mean that the REST API could get used for a lot more, but it also means that depending on how it’s set up, users could be socially engineered into allowing access to malicious apps.

Kathy:
Okay. Well, I am looking forward to your analysis on that on Wordfence Live next week. That’ll be great. It looks like they’re offering major version autoupdates for new installations.

Ram:
Yeah. We went into this a little bit before, but up until recently, WordPress core should automatically apply security patches, but not major version changes. If you are installing 5.6 from scratch instead of updating to it, then future major updates will be automatically installed.

Kathy:
And that’s something that existing users can opt into if they want to.

Ram:
That is.

Kathy:
Okay.

Ram:
I’m pretty sure that new users can opt out as well, but that is going to be the default for new users.

Kathy:
Okay. Interesting. Well, this’ll be another milestone in bringing WordPress into even more-

Ram:
The present.

Kathy:
I wasn’t going to say that, but I’m really seeing a lot of future-focused development happening with WordPress in that they’re really looking towards the future and looking towards making WordPress usable for everyone. I am excited by what I’m seeing here, and I’m excited by what you guys are going to talk about on Wordfence Live next week. I think that’ll be a great overview of where WordPress is going from here and how to get on the ride, get on the train ride to WordPress’ future.

Ram:
I agree. Honestly, WordPress is amazing because it’s accessible. The thing is if we can make it accessible and even more secure because it’s already pretty secure. WordPress core is pretty secure. It’s just a matter of making sure that everyone has an easier time updating. Everyone stays up-to-date. I think that, that’s one of the challenges they’re trying to address here. So, good on them.

Kathy:
Yeah, definitely. Okay. Well, thanks for joining us for another episode of Think Like a Hacker. This is the podcast about WordPress, security, and innovation. We will be back again next week with episode 98. Hey, we’re getting closer and closer to that milestone of 100. That’s very exciting.

Ram:
We going to do anything special for 100?

Kathy:
We’ll probably hit it before the end of the year. So yeah, stay tuned. You never know what’s going to happen.

Ram:
All right.

Kathy:
Well, thanks for joining me again, Ram. If you want to follow us, follow us, of course. Twitter account Wordfence Twitter account. That’s where all of our announcements happen, but wherever you are watching or listening to Wordfence, we are on social media as Wordfence. Find me @kathyzant on Twitter. Ram, where are you?

Ram:
I am @ramuelgall on Twitter.

Kathy:
Awesome. We’ll have links in the show notes, and we will talk to you next week.

Ram:
Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

LinkedIn 

Comments

No Comments

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.