When it comes to improving the security of websites among the many problems is that the public doesn’t have a good understanding of how much risk various security issues pose. That leads to among other things, people believing that websites must have been hacked due to software on a website that contained a known vulnerability despite no evidence to support that and it being very unlikely that the vulnerability would be exploited, much less that it could have lead to the website being hacked. Unfortunately we often find those involved in security are the ones overstating the risk posed by vulnerabilities.

On Monday we detailed a vulnerability that had been fixed in the plugin Metronet Tag Manager, where the changelog entry for the version it was fixed in was “Fixed serious security issue. Please Update.” A possible explanation why it was labeled as such despite not being anywhere near a “serious” issue came yesterday, as on Tuesday the finder of the vulnerability, dxw, released a report on the vulnerability with the title “CSRF in Metronet Tag Manager allows anybody to do almost anything an admin can”. The third sentence of the description seems to explain that claim: [Read more]