6 Jun 2023

Akamai Warns Their Web Application Firewall (WAF) Doesn’t Protect WordPress and WooCommerce Websites

So often, what passes for security journalism misses the important details in claims made by security providers that are the sole source for stories. Take, for instance, a recent story that popped up a Google News alert we have to alert us to stories about WordPress plugin vulnerabilities. That story, by Roger Montti at the Search Engine Journal, claimed that the ecommerce platforms WordPress and WooCommerce were being targeted by a hacking campaign (no explanation was provided for classifying WordPress and WooCommerce as being separate platforms). Nothing in the story suggests what would have made this hacking campaign noteworthy, but it did mention a recommendation that is noteworthy. It said that it is recommended to use a web application firewall (WAF) to protect against this hacking campaign, but the sole source for their story, Akamai, itself said those don’t work against attacks:

Generally, these attacks cannot be detected by popular methods of web security, such as web application firewalls (WAFs), and are executed on the client side. [Read more]

16 May 2023

Akamai SIG’s Advanced Custom Fields (ACF) Attack Claim Confuses Script Kiddie With Attacker

In the past couple of days there have been scary sounding claims from journalists related to a recently fixed reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Advanced Custom Fields (ACF), which we had detailed on May 4 after a machine learning (AI) based system we have flagged the fix being made. The journalists claimed that an attacker was trying to exploit this. With headline claims including, “Hackers target WordPress plugin flaw after PoC exploit released” from the Bleeping Computer, as well as “Hackers exploit WordPress vulnerability within hours of PoC exploit release” from CSO Online, and “ACF Plugin’s Reflected XSS Vulnerability Attracts Exploit Attempts Within 24 Hours of Public Announcement” from the WP Tavern.

Those stories are somewhat inaccurate, as they are citing another company’s disclosure a day after us as being when the vulnerability was disclosed. But the far larger issue is that it seemed highly unlikely that an attacker was really trying to exploit this. If this was true, it would be rather news worthy since we have seen no evidence of any wide scale exploitation of reflected XSS vulnerabilities in WordPress plugins. It turns out the source for those stories, Akamai Security Intelligence Group (SIG) confused a script kiddie with an attacker, leading to those misleading stories. [Read more]