04 Mar

Trying to Hide Vulnerabilities That Are Already Being Exploited Can Make It Harder to Protect Websites Against Them

Last week we had an odd interaction with the developer of the Freemius library where they wanted us take down a post about a fixed vulnerability in their library that seemed to us was already attempting to be exploited through WordPress plugins containing it. That seemed odd to us, since it was already being exploited, so pretty clearly we hadn’t disclosed the vulnerability as they were claiming was at issue with our having put out the post. We wondered if they missed the part about it looking like it was already being exploited (despite among other things it being the headline of our post) or did they assume we were wrong in thinking that? It turns out they already knew it was being attempted to be exploited before they even fixed it:

[Read more]