23 Sep

WordFence Lack of Security Knowledge Leads To Them Falsely Claiming to Protect Against Zero-Day Vulnerabilities

Last week we looked at a troubling claim made by the WordPress security company Wordfence that they were exclusively aware of zero-day vulnerabilities:

We also protect against many zero day vulnerabilities that aren’t yet known to the public but are known to us exclusively. These rules protecting against zero day vulnerabilities are unique to Wordfence.

The reason that is troubling is that would imply that they knew about vulnerabilities that were being exploited and were not notifying the developer of the relevant software, as a zero-day vulnerability refers to a vulnerability that is being exploited before the developer is aware of the vulnerability.

Based on on us actually finding numerous zero-day vulnerabilities in WordPress plugins that Wordfence seemed to be unaware of, we thought that maybe Wordfence didn’t actually understand what they were talking about (that is something we have seen evidence of repeatedly in the past). Maybe they had confused a zero-day vulnerability with a vulnerability that they had discovered. That distinction is rather important since a zero-day vulenrability is major threat, since even if you software is up to date, you are vulnerable when it is first exploited. On the other hand a vulnerability that they have discovered might not be much of threat at all (Wordfence has been known to not disclose details that show that a vulnerability is only a threat to a limited portion of it users) and if it has been fixed before a hacker becomes aware of it then it is of even less of a concern.

In a blog post yesterday it became clear they don’t understand what a zero-day vulnerability is (which isn’t an obscure term, it has a wikipedia page). Here is a part of a conversation between two of their employees (the one answering the question is describe as a “security analyst” and also someone we found putting out a false report of a vulnerability in a plugin earlier this year):

You have developed a reputation for finding zero day vulnerabilities in WordPress plugins. Can you talk about how you choose which plugins to focus your energy on and your process for finding 0 day vulnerabilities?

There are some cases where I have found a vulnerability as part of an investigation into a hacked website. Frequently I hit a tag in the plugins repository and choose plugins that look interesting. After that I review the code and use several tools to quickly test specific things, like injectable JS code in parameters, fuzzing input and things like that.

I think the biggest advantage I have in this is that I understand pretty well how WordPress works. This allows me to easily spot mistakes developers make which could lead to a security issue. In the WordPress community a lot of people are contributing in a wide variety of ways. This is my way of contributing – always working to make this community more secure, or at least less vulnerable.

A vulnerability found while you are looking at a plugin you randomly choose does not make it a zero-day vulnerability. It continues to scare us that so many people trust those guys, despite repeated evidence that they have trouble with the basics of security.

While they are misleading people in to thinking they are finding zero-day vulnerabilities and able to protect against them, we are actually finding and helping to get fixed many zero-day vulnerabilities (in a situation where the vulnerability doesn’t get fixed we warn you even if you don’t use the service yet, as long as you have the service’s companion plugin installed). Just yesterday we found what looks to be  arbitrary file upload zero-day vulnerability in a plugin and today we found one in another plugin. So if you are looking for actual protection against these types of vulnerabilities our service is probably going to provide you a better option for doing that than Wordfence.