So much for providing security
So much for providing security
I've asked for this plugin to be checked asap.
Actually looking at the new version 1.47 I do not see any ability to view config.php files infact the app is well written Really quite a nice service. I recommend this product and well done to cloudsafe365 for this plugin.
1) Security Reports should be emailed directly to plugins AT wordpress.org please and thank you :)
2) Author fixed it already (removed the file that had the problem)
It would be nice (<- that's an understatement...) if the fix would be mentioned in the change log. At the moment the change logs give the impression that the latest versions only introduced some performance tweaks, no mention of a serious security problem and the need to upgrade a.s.a.p:
= 1.47= * Bugfix: removed some old latency flile in the system. * Improvement: sped up coms system. * Improvement: Added faster capabilities to dropbox.
I assume that "latency file" should actually read "legacy file", but even if that assumption is correct it would only tell half the story. The legacy file actually left blogs with a gaping hole. Bad communication.
Users should be informed about the potential impact of that legacy file lying around, they should be told to change their (database)passwords and salts, and if cloudsafe365 really want to help their users they should inform them about how to investigate their logs for traces of abuse through the legacy file.
Security is not just about technique, it is just as much about open and straight forward communication and honesty, i.e.: Doing the right thing, even if that means you'll have to pay the piper.
What I see here looks more like a coverup, "fix and move on"...
The plugin was assessed independently. There's no cover up going on here.
Okay, the change log has been updated. However, looking at the stats it looks like roughly 20% of the 10.000+ installed instances of this plugin are the affected version 1.46. That means that potentially 2000 blogs are still affected right now, and that the owners of these blogs not only need to be informed about the fact *that* there is a problem, but also about *what* the problem and its impact is.
Someone (cloudsafe365 if you ask me) needs to inform those blog owners. You are right, there is no cover up going on, but the full story is not being told either.
They will have had an update notice for the plugin.
This post stream is totally inaccurate. Yes there was an issue however it was fixed very quickly with a release.
I understand that an email has gone to all users of the plugin and the user count Scaw refers to is not accurate due to the way the WordPress download count works. It would be more like 500-1000 due to users who have upgraded or have the plugin inactive.
Please also note the Blog Post
Yeah they seem to have already informed customers I got a email from them and have installed the new version up on my 23 sites.
I can also confirm this email as I got one explaining what happened and the fix. So I also applied the new patch with no issues at all. They offer a great service....
@cloudsafe365 (whoever their representative on this forum might be)
If there is anything inacurate about this post stream, than that's due to the way you communicate about this issue. You are correct, you provided a fix very fast. From then on however, you were lacking in your communication towards your users.
The things you did right:
- You provided a quick fix
- You eventually added the fact that there was a security incident in the change log
- You informed your users about a security issue on your blog
However, you did not inform your users about the impact of what happened, nor did you advise users to change their passwords and /or salts.
Sorry for being a pain in the butt, but really, there still are 500-1000 users who potentially had/have sensitive information exposed. Just telling them to upgrade is not enough.
Due to this issue I could read the WordPress config.php on cloudsafe365.com. Did you (cloudsafe365) change your password and salts? If not, all it would take me to take control of you WordPress installation is some other vulnerability that allows me to place some arbitrary file on your installation. Such a vulnerability *will* arise some day, either through WordPress itself, some third party plugin, a PHP vulnerability or a Apache/Nginx vulnerability.
If you changed your password, why don't you tell your users to do the same? If you did not change your password, what makes you think you don't have to?
Just to be clear: I saw your password but didn't write it down or memorize it. I don't have any bad intentions, I am just concerned about the way you are dealing with this issue towards your users, especially since you provide a security service, be it a paid or a free one. The average user tends to trust that you, the one offering that service, will do the right thing. You have not done all the right things yet.
Please, instead of publicly ignoring good advice here in these fora, start informing your users about the impact and about what they need to do besides upgrading the plugin. After all, advising your users about how to handle security issues is the business you are in isn't it?
If you would like to take this discussion somewhere else, feel free to contact me. I changed my profile to show my real name instead of my nick, just Google it and you will be able to contact me.
Hey man Got an email and all good with plugin. I am independent developer.
Stanley, I got an email from cloudsafe365 suggesting that I upgrade which I was extremely appreciate about.
I also note that the blog post suggests the changing of passwords and an upgrade to v1.47
I also understand that an email has gone to all users
It is clear to me that cloudsafe365 are offering a compelling product, not just because of the product description but also because of the supporting statements here in this forum.
I have been pushing pretty hard on this forum to get cloudsafe365 to go the extra mile. I don't know to which extend my pushing contributed there (actually, it doesn't matter), but it seems cloudsafe365 have gone the extra mile and are seriously trying to do the right thing there.
The way I went about this may have made the impression that I think cloudsafe365 are not handling this responsibly. That is not the case. Yes I have been pushing them to do more and keep moving. Most important is that they did more en kept on moving.
Security incidents are hard to handle, both from a technical, a commercial and a communications perspective. Given that they are working from a different time zone than most of us, I think int he end they managed to handle this incident, even though it may not have even entirely flawless, much better than the vast majority of the industry.
Well done! I have been contacted privately by cloudsafe365, so I am of to my private mailbox now.
This topic has been closed to new replies.