Jetpack Social Sharing feature exploited to send thousands of spam messages

  • Resolved Michael

    (@eizzumdm)


    10 years, 1 month ago

    We received an urgent message from one of our network administrators this evening that a form on a blog post on our Alumni magazine blog was being used by a Russian spammer to send thousands of spam messages.

    The dead giveaway was the “…thinks you may be interested in the following post:” line at the end. When I tested the Email sharing feature, the message was just three lines of text. However, the spammer was able to figure out how to prepend a 913-character message that I will excerpt below. There is nothing lascivious, just some goofy text wishing someone happy birthday, then philosophizing that life is a book. жизнь – это книга!

    My guess (without any testing) is that there is no limit on the number of characters in the name field. So for the name field, they entered the long spam message, then for the email field, they entered “lanaismilana@bk.ru.”

    Spammers, and DDOSers, and hackers — oh, my!

    Tat yana Etepneva ! C днем рождения! Искренне тебя поздравляю и хочу тебе сказать, что жизнь – это книга. Есть люди,которые ее пишут.
    Есть те, которые читают и живут так, как кто-то прописал…

    [dot dot dot]

    (lanaismilana@bk.ru) thinks you may be interested in the following post:

    Jacobs-Jenkins ’06’s Play Opens in New York
    http://blogs.princeton.edu/paw/2014/03/jacobs-jenkins-06s-play-opens-in-new-york/

    I previously had the Email share button nested under the More button. I have removed the Email service, and the emails seem to have subsided. If you need logs, I would be able to obtain them Monday morning.

    Our blog network is running Jetpack 2.9.2 on WordPress 3.8.1

    https://wordpress.org/plugins/jetpack/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter Michael

    (@eizzumdm)

    10 years, 1 month ago

    I submitted this problem to the Jetpack “Contact Support” page, but I wanted to provide additional information, just in case others encountered this issue before a patch is released.

    This morning I had time to confirm the problem mentioned above on a local test server.

    The problem is, indeed, the Email sharing button. However, the problem is not immediately evident if a user is logged into the site. When a user (or bot) is not logged in, the Email button has a “Your Name” and “Your Email Address” field, in addition to the “Send to Email Address” field.

    There is no apparent character limit on the “Your Name” field. A spammer could use that field to pre-pend an entire email message to the “[Your Email Address] thinks you may be interested in the following post:” part of the message.

    Also there does not appear to be a throttle on the amount of times this form can be used, which means that it might be used in a mass email spam attack or, potentially, a DDOS attack.

    Plugin Contributor Richard Archambault

    (@richardmtl)

    10 years, 1 month ago

    Hi Michael,

    Thanks for contacing us about this. I see that you also contacted us by email and that my colleague replied asking for the logs, so I’ll mark this one as resolved, and we’ll see what we can do to prevent both issues from happening again.

    David Whisler

    (@dwhisler)

    10 years ago

    Richard,

    Sorry, but it seems that this issue has NOT been resolved with “Sharing” on Jetpack when “Email” sharing is enabled. The user reporting it to you above (Michael) is running the current versions of both WordPress 3.8.1 and Jetpack 2.9.2. I did not see a fix or solution listed. Therefore it does not seem like this issue is “resolved” quite yet, unless you know something that we do not. I have seen this exact issue occur. I think the only way to avoid it right now, is to go into “Settings” -> “Sharing” -> “Configure” and then drag-n-drop the “Email” icon from “Enabled Services” into the “Available Services” area under the “Sharing Buttons” section.

    Is the Jetpack team aware of this vulnerability as revealed in this article: http://fossforce.com/2014/03/wordpress-jetpack-sharing-plugin-exploited-by-spammers/

    If so, please let us know and when they estimate to have a fix or upgrade to Jetpack to prevent this issue.

    Thank you so much for your help.

    Plugin Contributor George Stephanis

    (@georgestephanis)

    10 years ago

    David:

    Yes. Disable Email as a sharing service, and the problem is fixed.

    We’re investigating the best way to prevent spammers from taking advantage of this when it is enabled, but haven’t yet come to a consensus. If we were to implement some sort of rate limiting per hour based on IP or the like, then it could still be leveraged by botnets. It’s a difficult situation, and if you’re not comfortable with your server sending out emails at the behest of a user, just disable the Email sharing service.

    Cheers,

    George Stephanis
    Team Lead
    Jetpack Pit Crew

    Plugin Contributor George Stephanis

    (@georgestephanis)

    10 years ago

    Also, here’s a GitHub thread — feel free to post suggestions there, and patches are of course, as always, welcome. 🙂

    https://github.com/Automattic/jetpack/issues/448

    Plugin Author Jeremy Herve

    (@jeherve)

    Jetpack Mechanic 🚀

    10 years ago

    think the only way to avoid it right now, is to go into “Settings” -> “Sharing” -> “Configure” and then drag-n-drop the “Email” icon from “Enabled Services” into the “Available Services” area under the “Sharing Buttons” section.

    Another alternative would be to add reCaptcha to the email sharing buttons, as explained here:
    http://jetpack.me/2013/04/15/recaptcha-email-sharing-button/

    That should stop the spammers on your site.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Jetpack Social Sharing feature exploited to send thousands of spam messages’ is closed to new replies.