This entry was posted in General Security, Wordfence, WordPress Security on August 19, 2016 by Mark Maunder 284 Replies

On Tuesday we published a blog post about the 404 to 301 plugin inserting ad links into page content that only search engines could see. This is a technique called cloaking and will incur a penalty from Google.

Since then we have received some criticism from the maintainers of the WordPress plugin repository for the way we handled this. We have also received some criticism from the community for victimizing a plugin author.

I’d like to share a few additional facts and then explain why I wholeheartedly stand by our decision to publish and the way we handled this.

The plugin inserted links to websites into page content that would only show up when Google or another search engine crawled the site.

The content was hidden to the site owner or anyone who did not visit the site with a search engine user-agent (browser identification string).

The plugin asked you for permission to do this by displaying terms of service that described exactly what it was intending to do. The ‘cloaking’ portion of the terms of service was at the end after a long copy of the GNU general public license that was included. It was below the fold in a scrolling element, so would not have been noticed by anyone who didn’t scroll down. (See below for screenshot)

On further investigation the ad domain, which is wpcdn.io, serves up three things: The Payday Loan content we already disclosed. (See below for content) A link to an adult UK based escort service. (See below for censored screenshot and content). A string of text that is somewhat unique: sdf98jhk (See below for content)

If you google the string of text it returns 8,620 results and these appear to be WordPress sites that have had content injected by this plugin and that content has been indexed by Google. Random checks confirm that these sites are running the affected plugin. This confirms over 8,000 sites at a minimum were affected.

Sadly if you google the adult domain that is being served, it appears to have infected many other websites including a school’s site that is now serving adult content to Google. (See below for screenshot)

The ad domain was registered on January 14, 2016.

The plugin author’s account was used to upload the changes.

We were alerted to this plugin by a customer and upon investigation found that their site was surreptitiously serving up blackhat SEO content.

This was not a vulnerability

This is not a security hole in a plugin that requires the usual ‘responsible disclosure’ to the plugin author. This was a plugin that had malware pre-installed by the author’s account and was active on over 70,000 websites.

It was urgent that we notify the community and our customers about this so that they could immediately react and limit the damage.

The fact that the terms of service in the plugin actually ask for permission to engage in cloaking (see below for screenshot) indicated to us that this was done with the plugin author’s blessing, rather than being a case where a plugin author’s account was hacked. The exact wording from the ToS was:

“By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.”

We were under absolutely no obligation to look after the plugin author’s interests when we discovered this because it wasn’t a security hole that was accidentally written by the author. Someone had intentionally placed spam on a large chunk of the WordPress community’s websites and was profiting from it. The terms of service indicated it was intentional.

We needed to react quickly and that’s what we did.

How we handled this incident

On Tuesday this week Wordfence immediately notified our large security mailing list about the problem by posting on our blog and sending out an email linking to the post.

We also notified the plugins@wordpress.org email address about the issue.

We made no attempt to notify the author. Presumably he already knew he was doing bad things based on his terms of service.

What happened once we sent out the notification

We were criticized for our approach by the WordPress.org plugin repository maintainers. We were told we should have contacted the developer first. Then if they don’t reply or we can’t find out how to contact them, we should contact plugins@wordpress.org second. And only then should we post, preferably after something has been fixed.

I strongly disagree with this approach and stand by our actions because this was a plugin that had malware intentionally pre-installed by the author. Why notify the author that they’ve been discovered?

It seems more helpful to put the community in the driver’s seat. Let them take immediate action to limit damage that has already been intentionally done to their websites and their Google reputation. And then worry about the plugin author’s interests.

And so that’s exactly what we did. We sent out an immediate notification to the community and included plugins@wordpress.org in that notification.

What has the plugin author done?

The plugin author now says that he has removed the malicious code as per his changelog. We have not independently verified this.

The author has posted a blog post which you can find here:

https://thefoxe.com/blog/404-to-301-plugin-detected-by-wordfence-here-is-what-actually-happened/

We are intentionally not linking to the post to avoid promoting his website.

The post starts by saying “There are people, making money from other’s mistakes, instead of correcting them.”.

We’d like to point out the author was making money by surreptitiously injecting spam links into website content and as a side effect, destroying those website’s search engine rankings. How are we obligated to correct his greed and lack of morals?

He was “shocked” that he received negative reviews of his plugin. We’d like to point out that there may be justification for those reviews.

The author says “I found that the links and ads are being shown at the top of the page content instead of showing small credit text at very bottom, for crawlers.”. This suggests he knew he was cloaking, was doing it intentionally and thinks the problem is that the ads appeared to regular browsers too (in addition to search engines). We’d like to suggest he read up on what cloaking is and why it’s bad.

He blames another developer who isn’t named, conflates security vulnerability with intentional malware, paints himself as the victim, accuses us of censoring his comments on our blog (we didn’t) and claims we profited by demonizing him.

Final thoughts

I created Wordfence because my own personal site was hacked by the Timthumb vulnerability back in 2012. I discovered the vulnerability which was a zero day, I wrote code that patched timthumb and then went on to lock myself in a room and code for 8 months straight to create Wordfence to help prevent this from happening to anyone else ever again.

Today, Wordfence is a team of more than 20 highly trained and qualified individuals that come from a wide range of sectors in the security profession and community. We provide a world-class firewall that is free for the community and open source. We invest heavily in providing additional free resources to help the community like our free WordPress security Learning Center and like the prolific free support we provide on the wordpress.org forums.

I know what it feels like to have someone intentionally install their own malicious code on your site and profit from that code. It hurts your livelihood and reputation and it was such an awful experience I’ve dedicated my career for the last 5 years to making sure that does not happen to anyone else.

That is what happened in this case.

In this case we were under no obligation to protect the plugin author’s interests. We notified the community first and we did it loudly. My team and I stand by our actions and we will do it again if we discover anyone else intentionally installing malware on community or customer websites.

We will always put our customers and the community first.

I welcome your comments but I’d like to ask you for a favor: Please avoid any witch-hunting or personal attacks on any individuals involved in this, including the plugin author and anyone else associated with the plugin or this incident.

Yours Sincerely,

Mark Maunder – Wordfence founder/ceo.

References:

The link to a UK based adult escort service that was being injected under certain conditions:

Censored screen capture of the home page of cityofescorts, an adult site injected into content by this plugin:

The payday loans content that was being injected under certain conditions. This affected our customer in the initial report and is how we discovered the issue:

The text “sdf98jhk” that was being injected under certain conditions and that allows you to find affected sites using a google search.

The section (once you scroll down) in the terms of service of the plugin that describe that the plugin will be cloaking content on your site.

Google results for the adult website that was being injected by this plugin. It looks like a schools website is now serving adult content to google and we haven’t been able to confirm if this plugin is the culprit or it’s other malicious code.