17 May

Did Checkmarx Make Up Claimed High-Risk Vulnerabilities in Top WordPress e-Commerce Plugins?

Security journalism has been in rather bad shape for years, but at times it manages to be worse than others.

When it comes to coverage of WordPress what was a fairly popular line of stories years ago was to repeat claims by security companies that they had found a bunch of websites that had the same hack that were all running a certain outdated version of WordPress, with the implication of this that the hack was related to the WordPress version. When we would look into this we find problems from that websites were not all running the claimed version of WordPress or even running WordPress all, to vulnerabilities being cited as being in a certain version of WordPress actually being claimed vulnerabilities in plugins, to the blog of the security company where the claims were made running an even more out of date version of WordPress. [Read more]

28 Nov

What worse than security journalism? Security journalism by security companies.

When it comes to poor state of security a big cause is the poor state of the security industry, in which most of the companies don’t know or care much about security. There is obviously role for journalism to shine light on how bad things are, but unfortunately they are often a part of the problem instead. For example, it seems like that the poor state of security journalism actually leads to some of the inaccurate and sometimes all together false research being put out by security companies, as sensational claims are more likely to get coverage from journalists and those journalist often don’t do any due diligence as to whether the claims have a basis in fact. So a security company could spend a lot of time doing real research and hope that it gets covered or they could skip the hard work and just make claims that are likely to pique the interest of journalists knowing that it is unlikely the journalists will look into the accuracy of the claims.

When it comes to the security of WordPress plugins we often see inflated claims about minor issues, while at the same time other issues that are serious issues don’t get coverage. Take for example a situation that we have been trying unsuccessfully for years to get fixed, where WordPress is refusing to warn people that they are using plugins that have been removed from the Plugin Directory due to security vulnerabilities. Considering that some of those plugins will never be fixed by the plugin’s developers and others are already being exploited when the plugin is removed, warning people is necessary and not doing it is leading to websites being hacked. At the same time you get overblown coverage of minor vulnerabilities that have already been fixed. A recent situation along those lines, shows that sometimes security journalists can actually be better than that, but that security journalism done by a security company can come in to keep the bad situation going. [Read more]