Support » Plugin: Captcha » Why did it take so long to sort the backdoor problem out?

  • Resolved cjc1867

    (@cjc1867)


    Now all of a sudden someone responds that the problem has been sorted out and then closes all the posts about this subject.

    I will still not trust this plugin whether it is fixed or not.

Viewing 12 replies - 1 through 12 (of 12 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    The problem was sorted out a week ago, and Wordfence waited until the auto update process ran it’s course before reporting on the topic.

    Again, please read their article. We thought it was quite well written and explained the situation well. We worked directly with them to sort it out, to our mutual satisfaction.

    I closed the posts because they all said the same thing, and we don’t need hundreds of copycats from people who are overreacting at a solved problem.

    Source: me, who actually fixed the problem and committed the changes to fix the plugin.

    At the time of posting mine nobody had done and when I clicked Submit one of the other posters had probably did it at the same time as me.

    Well done for fixing the issue but I won’t be using it.

    Kind regards

    Colin

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    There’s four support posts, and three reviews, all of which have the same info, which is a link to that article.

    TBH, the same thing happens whenever they make a blog post about a security issue. We do work with them to fix things, and they report issues to us first, but when they do finally tell their readers, we get dozens of people reposting the same links here over and over, leaving bad reviews, and the like.

    There’s a name for this, and it’s called “vote-brigading” in places like Reddit. In our case, it’s likely unintentional, well meaning folks, but the truth is that we knew and fixed this problem, with their active assistance, and worked to roll out a fix to a hundred thousand affected sites before anybody else was informed about it. Early disclosure is dangerous for a problem like this, and they did the right thing and helped us fix it properly.

    So there’s no need for us to report it, we let them do it. They found it, we fixed it with their help, and they said as much in their article. No need to flood our forums with the same repeated information. Okay?

    You can use whatever plugins you like. We agree with their recommendations on this matter. We acted to keep users safe, with their assistance and responsible reporting, and we don’t need half a dozen links to that article, posted by everybody who isn’t reading that fact in the original article. Nothing personal, just trying to keep things tidy.

    Sorry @otto42 for repeating answer quoting that part of the source that nobody talked about it (the final part).

    To maintain order, the best would have been to put a post posted at the top, warning of this complicity on the part of those responsible for the WordPress repository, and Wordfence. And this multitude of messages would have been avoided.

    I’ve been on forums since 2002 and it’s a regular thing (important to put post at the top), but I do not know why you did not have the idea to do it here. No mood to bother.

    I have a course in Udemy (16h) and I recommend my students to take plugins and themes from the WordPress repository because in theory it has security controls.

    Greetings!

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    Our concern was to fix the code and to get that fix pushed as widely as possible as far as possible. I did that last week, and it rolled out over this week. We let them report it because they reported the issue to us.

    As far as posting something in the forums, we didn’t have any time to do so. We had people posting that link the instant it was published. I was not aware that they published their article until an hour ago, by which time people had already bombarded our forums.

    They said they worked with us in their actual article. Read to the end next time.

    Hi @otto42

    And it’s appreciated. But you have to understand that not everyone has the Wordfence security plugin (I do, and recommend in the course, to my students and even configuration of email alerts).

    But if now that you just closed 4 post, you put a post posted on the top… sure you save more post replies.

    Because the questions that I ask myself and more people are…
    1ยบ. What will happen to this plugin? And the author? I mean… will not there be more new versions?
    2ยบ. Alternatives to this plugin? I only see this as the most similar:
    Math Captcha‘ (By dFactory) although it has not been updated for 1 year… it works in WP 4.9.1

    Greetings from Spain & Goodnight! ๐Ÿ™‚
    Pd.: I did read the article until the end, and that’s why I put it in all the other post, so that people would not have any doubt with the source where it is said.

    • This reply was modified 1 year, 11 months ago by Joan Morci. Reason: I did read the article until the end
    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    I understand, and the closing of the posts was not intended to cast judgement on anybody. As for putting a post on top, there’s now 5 posts on top. I think that would be a bit redundant. ๐Ÿ˜Š

    None of those posts will be removed. We just don’t need a million “me too” replies to them.

    Hello @otto42

    Ok, I understand. It will also be the main news of the plugin.

    Wordfence is the only one that monitors possible insecurities, plugin or themes? And then… does the WordPress.org team put a solution?

    I ask this because I want to transfer this information to my students of the Udemy course, and also for my own safety to know. And more actively recommend the Wordfence plugin as the right one for WordPress.org

    Greetings!

    You said that you cleaned the code and pushed an update. What’s next? Can’t the plugin owner do the same thing again? You didn’t revoke his account or something.

    Not sure if that’s actually a solution.

    And frankly, if he did it once, he will continue to do it..

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    @joanmor No, we receive security reports from many places and people, as well as doing our own scans. Wordfence is not the only security company out there, we work with many different people to maintain the security of all things hosted on WordPress.org.

    @sgurygf As the article says, yes, we did remove the author’s commit rights. Please read the entire article.

    Hi @otto42

    Seen what happened, I think the WordPress repository team should reinforce its security, alerting the user of the change of ownership of a plugin. The most convenient way is your choice, perhaps notifying the security plugins of this new change or forcing the original owners to notify their team (WordPress repository).

    I wrote an article, in Spanish, talking about this topic and some link to this thread.

    Greetings and thanks for everything!

    • This reply was modified 1 year, 11 months ago by Joan Morci. Reason: Add Spanish article
    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    @joanmor That is not possible. Even we are not informed of plugins changing owners.

    In this case, they changed the committer account, but there are legitimate reasons to do that other than selling plugins. And if they wanted to hide that fact, then they would simply hand over the account username and password to the new owners and we would be unaware of the change.

    The short of it is that we are hosting these free plugins. We did not create them, and we do not monitor them at all times. We rely on reporting, and any changes that seem suspect should be reported to the plugins team by users. In this case, the plugin was reported for a trademark violation, and the security issue was then discovered afterwards. This limited the impact.

    But the truth is that yes, we have some trust in plugin authors, and when they violate that trust, then things like this happen and they get banned.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Why did it take so long to sort the backdoor problem out?’ is closed to new replies.