17 Oct

Security Advice Should Rely on Evidence Instead of Biased Assumptions

When it comes to the poor state of security, while a lot of the problems can be placed at the feet of the security industry, the public plays an important role as well. One of the big problems we see are people providing recommendations and advice that isn’t based on any evidence. That would be a problem if was coming from security professionals, who might at least have some experience to base their assumptions on, but from the layman they usually don’t have any basis and can lead to very bad advice.

When it comes to WordPress for example, what we have found incredible is that while there are enough recommendations for various security plugins that claimed that the plugin would protect your website being hacked that you could spend days (or maybe longer) reading them all, we only found one instance of someone other than us actually doing any testing to see if they could protect against real threats that they actually could and should be able to provide some protection against. The results of our testing and the other instance of that testing were not good. Most plugins have provided no protection what so ever and for the few plugins that provided any protection, the protection was usually easily bypassed.

Another area where we frequently see advice being made that clearly isn’t coming from people that are knowledgeable and isn’t be based on evidence, is how to choose a secure plugin to use. We have seen people suggesting making decision based on all sorts of things, including the popularity of the plugin, the rating of the plugin, and many others.

Recently we ran across another suggestion, this one coming from the maker of a WordPress plugin, to only use plugins with a monetization option:

So, going forward, we are only going to recommend and use plugins where it is clear to us what the upside is for the author.  This means that many good plugins will soon be taken off our recommendation list and replaced with freemium ones (even if they are slightly inferior).

This recommendation came about due to the recent situation with plugin Postman SMTP, which is assumed to have been removed from the Plugin Directory due to a reflected cross-site scripting (XSS) vulnerability we discovered and disclosed.

The given reason for this recommendation is as follows:

This plugin is 100% free with no monetization options.  In other words, the author does not have a financial interest in the plugin and, instead, works on it in his spare time.  Had there been a premium version of this plugin available or some other way that the plugin was monetized, we have no doubt that a fix would have been available shortly after the issue was discovered.  But, since its 100% free with no upside, the author has no real incentive to provide a fix if there are other projects or a job that takes precedence.

While they have “no doubt that a fix would have been available shortly after the issue was discovered” they didn’t present any evidence to back that up.

Considering that among other things, we are probably the most frequent discoverer of vulnerabilities in WordPress plugins these days, we are probably the best qualified to judge the veracity of the statement.

While we haven’t kept statistics as how the developers of completely free plugins deal with reports of vulnerabilities versus monetized plugins (it might be interesting do that), we have plenty of experience were monetized plugins haven’t fixed been fixed in a timely manner or at all.

As a recent example of a monetized plugin with a type of vulnerability that is likely to be exploited, we notified the developer of the plugin Product Reviews (also none as Ultimate Reviews and reviews) about a PHP object injection vulnerability in their plugin on July 24. There is a paid version of that plugin available. Nearly three months later the vulnerability still hasn’t been fixed. That is despite the plugin last being updated only three weeks ago. We have also notified that developer of multiple vulnerabilities in another of their plugins and none of those have been fixed either.

A couple of other plugins show one of the reasons that simply having a monetization option isn’t going to insure that a vulnerability will be fixed. With both the plugins Contact Form 7 – PayPal Add-on and Salon booking system the developers left comments on our posts claiming that the vulnerability didn’t exist (neither one had replied when we had originally contacted them before disclosing the vulnerability). The vulnerabilities do exist, the developers just didn’t understand them. That isn’t all that surprising since we often find that the WordPress focused security industry lacks even a basic understanding of security.

In this case the recommendation came from someone that seems to not really known what they are talking about. The recommender was claiming that with having “multiple-layers of firewalls” they could have been exploited:

We have used and recommended this plugin numerous times over the years.  This near-miss for us has caused us to re-evaluate what we use and recommend to our customers.  Had we not have multiple-layers of firewalls in place, this could have been a business reputation catastrophe if someone had exploited it on our site.

The reality is that the chances of being exploited by a reflected cross-site scripting (XSS) vulnerability are incredible low and they provided no evidence that “multiple-layers of firewalls” would have had any impact on being exploited.

Their recommendation to use monetized plugins isn’t exactly unbiased since they are the provider of a monetized plugin.

Their plugin actually introduces additional security risk on to websites, since it allows anyone to create a WordPress account and often there are vulnerabilities in plugins that are only exploitable to those logged in. It only took us seconds to find just such a vulnerability in their plugin and then we found another related one (which we have notified of them of and will disclose once they have a chance to fix them).

Making Sure You Are Using Secure Plugins

In their post they stated that:

However, this meant that anyone using the plugin (estimated at about 100,000 users) was exposed to this known vulnerability for at least 2 extra months.

That wasn’t true for our customers because they started get warned about the vulnerability at the time we disclosed it. So right there is a benefit of using our service. But if you are concerned about the security of a particular plugin instead of waiting for us or someone else to happen upon a vulnerability, if you are paying customer of our service you can suggest/vote for a plugin to receive a security review from us. You can also order a review of plugin separately from the service.

A security review is the only way you are really going to be able to determine if a plugin is secure or not.