Support » Plugin: GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership » Keep getting emails saying the “cryptobox keys changed”

  • Resolved flantascience

    (@flantascience)


    I’ve used this plugin for over a year with no issues. But in the last couple months I’ve received several emails saying the “cryptobox keys changed”.

    The email contains things like this (except I added “I-WONT-PUT-THE-KEY-HERE-IN-CASE-OF-SECURITY”)

    hu, 07 May 2020 23:44:02 +0000

    GoUrl Bitcoin Payment Gateway for WordPress plugin

    Following crypto payment box/es keys was changed on your website –

    Array
    (
    [bitcoinpublic_key] => Array
    (
    [old_key] => I-WONT-PUT-THE-KEY-HERE-IN-CASE-OF-SECURITY…..
    [new_key] => I-WONT-PUT-THE-KEY-HERE-IN-CASE-OF-SECURITY…..
    )

    [bitcoinprivate_key] => Array
    (
    [old_key] => I-WONT-PUT-THE-KEY-HERE-IN-CASE-OF-SECURITY…..
    [new_key] => I-WONT-PUT-THE-KEY-HERE-IN-CASE-OF-SECURITY…..
    )

    )

Viewing 10 replies - 1 through 10 (of 10 total)
  • countermind91

    (@countermind91)

    Hello,

    We received two emails yesterday evening with the same content about keys being changed.

    After checking the keys in plugin settings, i discovered that keys were actually changed so its not only a fake message that is sent but keys are being actually changed remotely.

    I have checked all the logs for possible breach to our wordpress backend, however there was no suspicious activity of any kind as all administrator logins were checked and clean.

    This seems to be a major security concern considering that this plugin is used to proccess payments.

    I request from the development team to come back with an explanation how is it possible for the keys to be replaced remotely and if their development team is the one behind changing the keys.

    bingobobby

    (@bingobobby)

    Same happened here. Can you check your /wp-content/upload/gourl/images folder for a php file, or an image with php contents.

    Also which version are you using.
    Have you ever used version 1.4.14, or prior?

    countermind91

    (@countermind91)

    @bingobobby

    We were using a 1.5.3 version at the moment the keys got replaced, updated it to latest 1.5.4 version today.

    I checked /wp-content/upload/gourl/images folder and there is no php file inside. I also went through all the images and checked for php code inside, there is no php code inside any of the images for the current 1.5.4 version.

    Still waiting for a response from developers.

    Plugin Author gourl

    (@gourl)

    1. Please update GoUrl Plugin to version 1.5.4
    https://wordpress.org/plugins/gourl-bitcoin-payment-gateway-paid-downloads-membership/

    2. Re-setup your keys on your GoUrl settings page – https://gourl.io/images/wordpress/screenshot-4.png

    3. Optional – make file gourl.hash – readonly. GoUrl Public/Private keys will be not editable anymore (readonly mode).
    Location – ../wp-content/plugins/gourl-php/gourl.hash
    Directory – wp-content/plugins/gourl-php
    Instruction – https://www.cyberciti.biz/faq/linux-write-protecting-a-file/

    countermind91

    (@countermind91)

    @gourl Updating the plugin to 1.5.4 version does not resolve the backdoor problem of keys being changed remotely.

    The keys on our website got remotely changed again a few hours ago, even with latest 1.5.4 version

    Your suggestion of changing the write permissions on gourl.hash file is also not resolving the cause of the backdoor problem itself. Any kind of backdoor should be treated extremely serious, especially when it comes to plugins that are used to process payments. I would expect at least an explanation on what caused the backdoor and what is being done on fixing it.

    Plugin Author gourl

    (@gourl)

    No other reports received for ver 1.5.4+

    Plugin have condition –
    if (is_admin() && is_user_logged_in() && current_user_can('administrator')) ...
    I.e. only admin can change keys.
    Source – https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/master/gourl.php#L1051

    Also if gourl.hash have invalid md5 hash, all keys values automatically reset –
    Source – https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/master/gourl.php#L908

    Please send us your plugins\gourl-bitcoin-payment-gateway-paid-downloads-membership\gourl.php file and new used keys.

    Please change your website admin password, because admin user can modify file
    plugins\gourl-bitcoin-payment-gateway-paid-downloads-membership\gourl.php

    bingobobby

    (@bingobobby)

    @gourl
    You know that
    if (is_admin() && is_user_logged_in() && current_user_can(‘administrator’))
    becomes valid if
    !current_user_can(‘administrator’) ?

    Meaning the whole thing returns true if the user can “not” administrator?

    Changing it to only if (is_admin() && is_user_logged_in()) seems more secure.

    Plugin Author gourl

    (@gourl)

    User can save settings only if three conditions valid.

    See here – https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/master/gourl.php#L1060

    is_admin() – Determines whether the current request is for an administrative interface page

    is_user_logged_in() – Determines whether the current visitor is a logged in user

    current_user_can(‘administrator’) – Check If User Is Administrator

    https://www.webroom.tech/check-if-current-user-is-administrator/

    Please update GoUrl WordPress plugin to 1.5.6 – we added more security layers

    Jamie

    (@scragglydoggames)

    +1 on the key change email, i’ve removed gourl completely from a couple of sites i had it installed with.

    can @gourl please explain what happened?

    Plugin Author gourl

    (@gourl)

    That was the security issue of our open source WordPress plugin for some users (only one plugin, not affected other plugins / gourl.io website). It was fixed on the same day. All versions 1.5.4+ are safe. Please update to latest 1.6.0 version.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Keep getting emails saying the “cryptobox keys changed”’ is closed to new replies.