Yesterday we covered an authenticated option update vulnerability that looks like it was already being exploited in a third-party library, Freemius, which is included with many WordPress plugins. We had also reviewed the 1,000 most popular WordPress plugins to check if they used a vulnerable version of that library and notified the developers of impacted plugins. The response we have gotten from them and the developer of the library has been rather troubling.
Take this message we got from the developer of a security plugin of all things:
Your analysis is incorrect, the vulnerability was patched in Freemius 2.2.3 and [plugin named redacted] has been using 2.2.3 since Monday.
Publishing incorrect information that is commercially damaging may result in legal action.
Someone involved in the security industry throwing around legal threats like that is kind of incredible. The reality here was that vulnerability was fixed in version 2.2.4 and we had actually manually tested out the plugin to see if it was vulnerable (we had originally assumed the plugin was fixed since it had just been updated).
In further communication the developer apologized and explained that the developer of Freemius had yet to update the copy of the library on Packagist so they thought they had updated to the fixed version, while they stated that library had now been updated on Packagist, it doesn’t appear to have.
When the developer of that plugin fixed it, the changlog entry reads “minor improvement”, which doesn’t seem accurate.
At least that developer had thought they had already had fixed the issue, here is developer of two plugins with 100,000+ installs each that still hasn’t fixed them:
Please can you remove your post so that it is not public : https://www.pluginvulnerabilities.com/2019/02/26/hackers-are-probably-already-exploiting-this-authenticated-option-update-vulnerability-just-fixed-in-freemius/
You are basically showing hackers which plugins are vulnerable and how to exploit it. I think it is very unethical and also irresponsible for you to do this.
We have updated the plugins and will be releasing an update tonight, but I would appreciate it if you removed your post.
It is interesting that warning people if they are vulnerable to a vulnerability that looks like it is already being exploited is “unethical and also irresponsible”, while not quickly updating a plugin you know is being exploited is okay. The proof of concept we provided didn’t tell anyone something that was hard to figure out on their own and it allows easily checking a plugin is vulnerable, like the security plugin mentioned before that wasn’t actually fixed.
That brings us to the developer of the library who contacted us with this message:
Yesterday you disclosed a security vulnerability in our SDK:
I appreciate what you do for the community and reporting security issues is very important. That said, it has to be done responsibly. We just discovered the issue on the 25th and notified the developers right away. Please unpublish the post for at least 30 days, giving enough time for all the developers and their users to update.
Later on, I’m happy to also send you a quote or answer some questions on the record. But let’s coordinate it so we’ll be in sync.
I would appreciate if you get back to me asap.
It is hard to believe they wanted us to keep quiet for 30 days that a vulnerability is already being exploited. There is a fairly obvious problem with that that we were able to figure things out without it being responsibly disclosed and if we could then it would be very bad to assume that those with bad intentions would not being doing the same type of monitoring and figuring this out as well. Part of what makes this so odd is that the developer had publicly mentioned the vulnerability when they fixed it “[debug] [security] [fix] [major] Restrict the options update to admin…s and only to the SDK’s options (starting with ‘fs_’).”
The developer also would seem to not “appreciate what you do for the community” because they don’t seem to be aware of us at all since they go on to say they are “happy to also send you a quote or answer some questions on the record”, which would be something you would say to a news outlet, not a security company.
If the developer had wanted to be responsible they would have had the library’s code reviewed for security issues some time ago.