Login

Tag Archives: Facebook

17 Jun 2019

Hey Facebook, a Bug Bounty Program Isn’t a Replacement for Properly Reviewing the Security of Your Code

Earlier today we disclosed that two WordPress plugins developed by Facebook have vulnerabilities due to failing to do security basics. While these are relatively minor vulnerabilities, Facebook has introduced vulnerabilities on quite a few websites, as one of those has 20,000+ installs and the other 200,000+. In another of their plugins with 100,000+ installs there is minor security issue due to a security basic involved in the vulnerabilities in the other two, though we wouldn’t classify it as vulnerability due to what can be accomplished with that.

Since they are both vulnerabilities in the type of code that is often involved in disclosed WordPress plugin vulnerabilities, those vulnerabilities should not have been missed if security reviews of the plugins were done, even if the entity doing the review wasn’t very good at doing them. So it seems highly unlikely that Facebook got that done with the plugins. [Read more]

17 Jun 2019

Facebook’s WordPress Plugin Messenger Customer Chat Contains an Authenticated Settings Change Vulnerability

In our previous post we detailed our running across a vulnerable WordPress plugin made by Facebook with 200,000+ installs, after noticing that we did a quick check to see if any other there other plugins had similar issues. We found that their plugin Messenger Customer Chat, which has 20,000+ installs, contains a similar vulnerability, though in this case the code is even less secure.

The plugin registers the function fbmcc_update_options() to be accessible to anyone logged in to WordPress through its AJAX functionality: [Read more]

17 Jun 2019

Automattic is Having WooCommerce Install by Default an Insecure Plugin by Facebook

The line between the open source project WordPress and the company Automattic is often blurry. You can find journalists referring to the latter as owning the former, despite that not being true. The person who resigned a couple of week as the Marketing and Communications Lead for WordPress mentioned that they were often assumed to be an Automattic employee or as the token non-Automattic team member:

My position is unclear, not just to me, but to many people which makes me uncomfortable. I’ve been asked dozens of times on Twitter, Facebook and at WordCamps why I now work for Automattic, which of course I don’t but that is the perception for a lot of people. On other occasions I seem to be the token non-Automattician, which I’m also uncomfortable with. [Read more]