05 Nov

It Looks Like Hackers Have Started Probing For Usage of AMP for WP – Accelerated Mobile Pages

A week ago we put out a Vulnerability Details posts with the details of a vulnerability in the plugin AMP for WP – Accelerated Mobile Pages, which had been closed on the Plugin Directory recently, so if you were already customer of our service and using that plugin you would have been warned about that particular issue, as well as the general poor security of the most recently released version of the plugin. It looks like hackers are aware of that as well now, as yesterday we had a series of requests requesting files from the plugin that looked to be probing for usage of it:

  • /wp-content/plugins/accelerated-mobile-pages/readme.txt
  • /wp-content/plugins/accelerated-mobile-pages/README.md
  • /wp-content/plugins/accelerated-mobile-pages/templates/custom-amp-content-
  • button.js
  • /wp-content/plugins/accelerated-mobile-pages/languages/how-to-use-a-pot-file.txt
  • /wp-content/plugins/accelerated-mobile-pages/LICENSE

The series of requests came from web servers in several different locations around the world and from Chinese telecom providers.

According to data from abuseipdb.com, others had requests of the same type several days before.

As of right now the plugin still is closed on the Plugin Directory (it has been closed on October 21), so people cannot use the normal upgrade process to get to a more secure version (we can help our customer upgrading to the unreleased version that fixes the issues).

From the changes made to the plugin since it was removed, it looks like this is an example of the poor handling of security by the team behind the Plugin Directory team as instead of being focused on working with the developer to get the serious fixed as soon as possible (and possibly avoiding removing it at all if they could get it promptly fixed, to avoid spotlighting the issue) and focusing on security improvements later, they are holding back those serious fixes, at time when hackers are already moving forward. That isn’t a new issue and it is the kind of thing that could be corrected if the team was open to working with others, like us, that could help them to make the process better and lead to better security for the WordPress community, unfortunately things like the inappropriate behavior of the WordPress Support Forum moderators allow them to get away with causing unnecessary security headaches for the WordPress community.

Until such time that things get cleaned up on the WordPress side of things our services continue to be important way to protect you and or your customers from insecure plugins, especially since unlike this one, many haven’t been removed from the Plugin Directory despite having vulnerabilities that are already publicly disclosed (those plugins have over 5 million installs). In addition to our main service we now also provide weekly and daily newsletters that provide access to the underlying data that is tapped into with the main service. We think those newsletters could be a better option for larger providers over setting up our service for individual websites (though for someone with say 10s of websites, the main service is much better option).

Leave a Reply

Your email address will not be published. Required fields are marked *