29 Sep

Detectify Doesn’t Do A Good Job of Protecting WordPress Websites

When it comes to security these days you have situation that should be a crisis for the industry, 10s of billions on their products and services and yet a quick perusal of the news would show that the results for all the money spent are not good. Instead, as far as we have seen the security industry has no problem with the current situation and if you point out some of the problems leading to that you are likely to be criticized.

As an example of how the money is being spent on solutions that are not doing job, let’s take a look at company that we ran across recently, Detectify. That is marketed as the “Leading Web Security Scanner for Continuous Security”, though looking at what it provides for WordPress websites indicates that if it’s the leading scanner, then the lead isn’t very impressive.

It is claimed to test for “700+ vulnerabilities”, which would seem to leave a lot of vulnerabilities missing considering that we have a lot more vulnerabilities in our data set from just vulnerabilities in WordPress plugins and that service isn’t limited to just WordPress websites.

Here is how the service is described as working, which as we will get to, seems both inefficient and a security risk when it comes to WordPress websites:

Detectify is a web security service that simulates automated hacker attacks on your website, detecting critical security issues before real hackers do. We provide you with descriptive reports of the results so that you can continue to build safe products.

Limited Tests of Plugin Vulnerabilities

Twice a month Detectify releases a post with new additions to their testing. For the period that is roughly July and August the entries (1, 2, 3, 4) they added tests for five claimed WordPress plugin vulnerabilities:

  • WordPress youtube-embed-plus CSRF
  • WordPress stop-user-enumeration Bypass
  • WordPress dsubscriber SQL Injection
  • WordPress wp-hide-security-enhancer LFI
  • WordPress spiffy-calendar XSS

The quantity of WordPress plugin vulnerabilities they added tests for is incredibly underwhelming. By comparison in July we added 28 vulnerabilities to our data set and in August we added 35 vulnerabilities. What is even more striking is in total they only listed 17 tests added during the two month period, so their limited testing isn’t just a WordPress issue.

When it comes to security, quantity isn’t everything, but the quality of their additions might be worse.

What seems to the most important thing to note is that all of the WordPress plugin vulnerabilities they added checks for had already been fixed before they were disclosed, so simply using our Automatic Plugin Updates plugin to keep your plugins automatically updated would have provided you better protection than their paid service. (If the vulnerabilities hadn’t been fixed their service wouldn’t do anything to help you do deal with them.)

Where that is most relevant is for the only serious vulnerability they added a check for, the arbitrary file viewing vulnerability in WP Hide & Security Enhancer (it is concerning they incorrectly classified that as a local file inclusion (LFI) vulnerability). That vulnerability was fixed back in February, but was only disclosed by the discoverer in July. That vulnerability also shows how we provide superior data on WordPress plugin vulnerabilities over anyone else since we have been warning our customers about the vulnerability since it was fixed in February.

By comparison in both July and August eight of the vulnerabilities we added had yet to be fixed. That included multiple vulnerabilities that are of types that are likely to be exploited.

Among the other issues is that two of the vulnerabilities they listed are not really vulnerabilities. The claimed bypass vulnerability in Stop User Enumeration isn’t really a vulnerability as usernames are not intended to be a secret with WordPress. The claimed SQL injection vulnerability in DSubscribers, is only exploitable by Administrators, which can normally do the equivalent of SQL injection.

That claimed vulnerability in DSubscribers also raises another concern with the Detectify service, which also applies to the cross-site request forgery (CSRF) vulnerability in YouTube. For both of those issues the action taken is done by someone logged in as an Administrator, so if the service is actually is simulating an attack it would require the service to have access to an Administrator account in WordPress. That obviously is a security risk and one that isn’t needed to check these things, since you could just check the version in use.

Are They Finding Additional Vulnerabilities?

For the amount of the money they are charging they are doing a bad job of providing any protection against known vulnerabilities in WordPress plugins, but since they are doing other testing, if the testing was any good it should be able to identify additional vulnerabilities in WordPress plugins since there are plenty to be found. We were not already aware of any recently disclosed vulnerabilities they found and the only indication they might have found any vulnerabilities in WordPress plugins is a post from last week, that mentions several very low level vulnerabilities, reflected cross-site scripting (XSS) vulnerabilities, they may have discovered (it isn’t specified who discovered them in the post, but some of them don’t appear to have been disclosed elsewhere so far).

The details in the post though are very strange. For example, one of the vulnerabilities is supposed to impact versions prior to a certain version, but the next version contains no security related change. It looks like they might be referring to a different version that contained a fix for a different security vulnerability. We did confirm that at least two of the vulnerabilities exist in the current versions of the respective plugins. There is no indication that the developers of those plugin or some of the other listed plugins been notified about them, which would be irresponsible of Detectify not to do. We will probably have more on this once we have had a chance to more fully look over the plugins in question and if we hear back from the developers of the current vulnerable ones (we just notified the developers of the two plugins we have confirmed are currently vulnerable so far), but the information so far doesn’t project that Detectify is a high quality security company.

We Offer Better Protection for WordPress Websites

As was mentioned earlier if you are looking for information on vulnerabilities in WordPress plugin we are going to provide much better data for less money than Detectify. We also do it in a more secure fashion as we don’t need access to your WordPress installation directly, all you need to do is install the service’s companion plugin, which securely communicates transfers information on what plugins are used to our service and then any vulnerabilities in them is sent back to the website.

On top of just getting better data on vulnerabilities, we actually are here to help you if are using an unfixed vulnerabilities (we also work with developers to get them fixed, so all you and everyone else would need to do is update them to protect yourself). Also as part of our service you have the ability to suggest/vote for plugins to receive a security review from us, which involves checking for reflected cross-site scripting (XSS) vulnerabilities as well as a number of much more serious types of vulnerabilities.