W.D
Active member
I just read a really fascinating case history here about a well established WordPress plugin with 300K active installs, it was purchased by a bad actor and a back door installed into a later update.
The plugin was removed from the WP plugin repo without any indication about the back door, so WordFence Security (a 3rd party WP security company with a premium subscription plan) investigated to try and figure out the reason why.
They ended up discovering that someone who had a history of buying plugins in order to distribute and produce links on the site owners websites, linking to their loan companies to improve their SERPS, was behind the purchase.
The most interesting part I found, was that WP Security was able to work with WP.org and use their automatic plugin updater system to help distribute a patched version of the plugin to over 100K sites in just a few days.
Very cool stuff imo, and it really highlights to benefit of having some kind of centralised plugin repo, ACP update system and the ability to push automatic updates for security reasons.
I hope we can get something like this for XF as soon as possible.
Full story here
While this is a really REALLY good idea it's also very bad. Many auto updates have been hijacked in the past to add backdoors and so on. A notice in the admin panel would be enough for me. I think it should be added by default. but then again this will just give the same issues. I think it was vBSEO? One of their notice systems was hijacked to inject a malicious plugin into vBulletin and they didn't notice for ages.
So this is a 50/50, While I agree notices should be given out about exploits I feel the way to do it shouldn't involve adding anything into our sites. An email would be fine by me even a notice here.
Just look at CCleaner, they were recently hacked and the code as pushed out via their auto update system. Unless you can guarantee 100% the servers giving these updates are secure then it shouldn't be done. And as you know, security is just an illusion. there's always something that can be exploited.
Being paranoid about security makes you think weirdly I guess. my fears not about being hacked, it's the users who get compromised that's my fear.
Some people just don't care and hide it though examples being vBulletin and the 2 0-Days found and left unpatched a month after being reported. Or the time via public information I found a remote access exploit their, after reporting it for 3 weeks they finally patched it. another example is some guy named who Kev never informed his users they were compromised due to a password reuse attack. even after being properly hacked this owner still hasn't informed users and just hides it.
It makes me sick thinking sites still do this. yeah offtopic but I feel this is just a bad idea as good as the intentions are. it leaves too much risk and possibly opens other flaws.