XF.com suggestion: Always email users who downloaded vulnerable addon releases

[W.D]

I just read a really fascinating case history here about a well established WordPress plugin with 300K active installs, it was purchased by a bad actor and a back door installed into a later update.

The plugin was removed from the WP plugin repo without any indication about the back door, so WordFence Security (a 3rd party WP security company with a premium subscription plan) investigated to try and figure out the reason why.

They ended up discovering that someone who had a history of buying plugins in order to distribute and produce links on the site owners websites, linking to their loan companies to improve their SERPS, was behind the purchase.

The most interesting part I found, was that WP Security was able to work with WP.org and use their automatic plugin updater system to help distribute a patched version of the plugin to over 100K sites in just a few days.



Very cool stuff imo, and it really highlights to benefit of having some kind of centralised plugin repo, ACP update system and the ability to push automatic updates for security reasons.

I hope we can get something like this for XF as soon as possible.

Full story here

While this is a really REALLY good idea it's also very bad. Many auto updates have been hijacked in the past to add backdoors and so on. A notice in the admin panel would be enough for me. I think it should be added by default. but then again this will just give the same issues. I think it was vBSEO? One of their notice systems was hijacked to inject a malicious plugin into vBulletin and they didn't notice for ages.

So this is a 50/50, While I agree notices should be given out about exploits I feel the way to do it shouldn't involve adding anything into our sites. An email would be fine by me even a notice here.

Just look at CCleaner, they were recently hacked and the code as pushed out via their auto update system. Unless you can guarantee 100% the servers giving these updates are secure then it shouldn't be done. And as you know, security is just an illusion. there's always something that can be exploited.

Being paranoid about security makes you think weirdly I guess. my fears not about being hacked, it's the users who get compromised that's my fear.

Some people just don't care and hide it though examples being vBulletin and the 2 0-Days found and left unpatched a month after being reported. Or the time via public information I found a remote access exploit their, after reporting it for 3 weeks they finally patched it. another example is some guy named who Kev never informed his users they were compromised due to a password reuse attack. even after being properly hacked this owner still hasn't informed users and just hides it.

It makes me sick thinking sites still do this. yeah offtopic but I feel this is just a bad idea as good as the intentions are. it leaves too much risk and possibly opens other flaws.

 

[RobinHood]

I totally agree with you in that in can be both very good, yet has the potential to be very bad.

But where do we draw the line and make the decicision?

Do we say a system like this is no good because there's a chance it could be exploited, or do we go with a system like this because there's an even better chance a bad actor may distribute malware or there may be a legit oversight and security bug and as a result, when that happens, the majority of customers will now be protected via an automatic update because of the system.

I imagine there's a correlation between how big a company is, how good their security is and how effective a system like this is. For a small 3 man team, then you may be right, an automatic update system may not be the right answer. For a company such as WordPress with their hundreds of thousands or millions of customers that they want to be safe and update it makes perfect sense. But when will the time come for this company (XF) to grow properly and set the standard for independent communities online? In order for XF to scale, is a system like this not also required? They kind of go hand in hand.

It can't stay a 3 man core team forever, if it's going to be a long term player in the game and keep up with the tech that is available via other community and social media options then there needs to be some kind of overhaul that ends up with a system similar to, or even better than this.