25 Apr

Security Journalists Can’t Even Successfully Repeat the Same Inaccurate Figure Related To Exploited WordPress Plugin

Yesterday we discussed inaccurate information coming Palo Alto’s Unit 42 team that was then spread by the security news outlet Threatpost related to the WordPress plugin Social Warfare. In looking around we found that other security news outlets had also covered this and managed to put forward even more inaccurate information. Maybe that shouldn’t be surprising since a journalist that did some due diligence should have come to the conclusion that the original information did not seem reliable, but still it speaks to the really poor state of security journalism that even when presenting inaccurate information, they are unable to accurately present that.

In the Threatpost’s article they accurately reflected what Palo Alto’s Unit 42 team had claimed “most” of the 42,000 website they claimed were using the plugin were vulnerable:

Palo Alto Networks’ Unit 42 division estimates that 42,000 sites are using Social Warfare, “most of which are running a vulnerable version, including education sites, finance sites and news sites,” it said in an analysis, Monday. “Many of these sites receive high traffic.”

As we noted in our previous post, those figures seem to be highly inaccurate, due to a likely inaccurate count of usage, inaccurate information on what versions were vulnerable, and possibly the “most” being vulnerable part not being based on evidence at all.

SC Media by comparison claimed that “About 42,000 websites have not updated to the latest version “:

About 42,000 websites have not updated to the latest version of the Social Warfare WordPress plugin, leaving themselves open to a pair of vulnerabilities that are being exploited in the wild.

Most and about are not synonyms.

SC Media further got things wrong by getting the version number that fixed the issues wrong as well (since they were fixed in 3.5.3):

Versions 3.5.3 and earlier of Social Warfare, which adds social sharing buttons to websites, are at issue.

The oddest version of this came from The Hacker News, which somehow came up with the figure of 37,000 being vulnerable:

At the time of writing, more than 37,000 WordPress websites out of 42,000 active sites, including education, finance, and news sites (some Alexa’s top ranking websites), are still using an outdated, vulnerable version of the Social Warfare plugin, leaving hundreds of millions of their visitors at the risk of hacking through various other vectors.

We couldn’t figure out where that figure could have come from, so possibly they just made it up.