01 May

Sucuri’s Idea of Safe Harbor Against Tomorrow’s Threats is Warning About a Vulnerability in a WordPress Plugin a Year and Half Behind Us

When it comes to the very poor state of the security industry one thing that continually stands out to us is how often it is that security companies don’t make it that hard to realize they are not in fact doing the things they claim. Unfortunately security journalists and others continually ignore that, which is making the security of every website worse off with no positive benefit for anyone other than security companies cutting corners.

Take the security company Sucuri, which makes claims like this:

Our research-driven tools keep us on top of emerging threats and security issues so we can clean them faster than the competition.

What we have seen over and over is that isn’t close to true. Take for instance a blog post they put out on April 5 about a SQL injection vulnerability in the plugin Duplicate Page. That was a vulnerability we detailed for our customers and publicly discussed back on October 20, 2017 (the developer didn’t fix it at the time despite us contacting them directly multiple times).

On that post they have this marketing image:

Safe harbor against tomorrow’s threats

The rest of the post is also a good example of how security companies are more interested in scaring people then providing them with accurate information.

Here is how the post starts:

While investigating the Duplicate Page plugin we have discovered a dangerous SQL Injection vulnerability.

It was not being abused externally and impacts over 800,000 sites. It’s urgency is defined by the associated DREAD score that looks at damage, reproducibility, exploitability, affected users, and discoverability.

A key contributor to the criticality of this vulnerability is that it’s exploitable by any users with an account on the vulnerable site (regardless of the privileges they have – e.g., subscribers) and is easy to exploit.

We are not aware of any evidence of widespread exploitation of SQL injection vulnerabilities like the one they are discussing, which is something Sucuri likely wouldn’t know considering among the corners they cut with their service, they usually don’t try to determine how websites have been hacked, despite that being a basic part of a hack cleanup.

Considering that this vulnerability was publicly discussed a year and half ago while they claim it was not being abused externally, that seems like a good indication that it doesn’t match what they claim. That isn’t surprising when you consider that not only is this a type of vulnerability that isn’t likely to be exploited, but it is further limited by requiring people to be logged in to WordPress, which in their over the top rhetoric becomes a “key contributor to the criticality”.

They gave this vulnerability a DREAD score of 8.4 out of 10, which seems like much too high a score, unless you are trying to unnecessarily scare people. The creator of that scoring system, Microsoft, abandoned using it some time ago, which isn’t a great sign as to its usefulness.

What seems pretty clear to us from seeing posts like that for years, is they are about getting publicity, since there isn’t a need to go so over the top to describe a minor vulnerability. But of course, Sucuri has claimed that they don’t what they are doing for publicity:

As for us, we don’t do that for publicity. It is just part of our research and work that we do every day. Even before Sucuri started, we were auditing code and disclosing security issues. Our goal is to be ahead of the bad guys to protect our clients and help the web at a whole.

What also stands out to us is that doing that type of research doesn’t have anything to do with what Sucuri’s offers since they don’t do security reviews of plugins, but provide a firewall and understanding underlying code for a vulnerability like this wouldn’t have anything to do with that. When it comes to actually protecting against SQL injection vulnerabilities (or any vulnerabilities for that matter) Sucuri doesn’t provide evidence that they provide effective protection (they certainly are not staying ahead of bad guys) and it is no secret that their service can often be completely bypassed, it also appears that their SQL injection protection hasn’t even been properly tested.

Tomorrow we will look into another claimed SQL injection vulnerability they promoted having discovered recently, where the reality is even more out step with their claims than what happened with this vulnerability.