At cyberstorm.mu, we love to use acronyms for our hackathons. Our first hackathon was Operation S.A.D. Most people did not figure out the true meaning of W.T.F. It was fun seeing the attempts of some people who tried to find the real meaning.
Operation W.T.F stands for Wordpress Tiny Flaws. We spent 2 days peering inside a number of wordpress plugins with an eye towards finding and fixing security flaws. This turned out to be a very interesting and insightful hackathon. Personally, I felt that I learned a lot by sharing my ideas, and arguing back and forth with other members of cyberstorm.mu. What was interesting to me was that I was able to identify patterns of insecure PHP code within wordpress plugins. In turn, this will help me better evaluate the quality of a wordpress plugin before using it for work or personal use.
Wordpress is a small CMS which is popular for small & medium-sized websites. Many bloggers use it, because it is both easy to setup, and there is a rich ecosystem of wordpress plugins. Wordpress has often been criticized due to its security record. What is more worrying is the varying quality of the wordpress plugins. There are some wordpress plugins that are written with the best security in mind, and you can genuinely see how much some software engineers care about their code.
By contrast, you have some plugins where you can quickly identify the lack of security focus: unchecked input paths leading to code execution, and sometimes plainly buggy code that would work on a lucky day.
Before we delve into the of the details, I would like to thank the anonymous sponsor for providing us with a top-notch hacking room. We left Ebene on a Friday night, and drove to Port Louis with the car packed with clothes, laptops and network gear. We stopped by in Port Louis to have a beer before heading to Pereybere.
As soon as we arrived there, we wasted no time and set up our networking gear. We all wanted to get internet as soon as possible. We got bad reception due to the high number of concrete buildings nearby. Selven and the others had the crazy idea to put the antenna in my assigned bedroom, and run an ethernet cable down to the kitchen through a window. The kitchen became the hackroom.
We went to sleep almost at 3 AM on day 1. We ate pizza, and started laying down the plan for the audit of wordpress plugins.
The next day, I woke up early around 8:00 AM to get back to hacking. I was greeted with a nice scene from my bedroom.
The second day was very intense. Akhil and Yash found an interesting security bug in a wordpress plugin, wrote the PoC, and designed a patch. Writing security fixes led to some strong arguments about the different attack vectors that could be used to bypass it, and Selven shared his hard-earned experience in the area.
Nitin discovered 2 security flaws in another wordpress plugin. I was a bit shocked at the demo of nitin for taking advantage of the flaws. Complexity can hide vulnerabilities.
Many of you might wonder why we are not publishing our findings ? We follow responsible full-disclosure practices. We contact the authors of the vulnerable plugins, report out findings, and send them our proposed fixes. Once the fixes are available, we may decide to publish them. There is a grey line as to when is the most appropriate time to disclose security flaws. We prefer to give people enough time to patch, before publishing our security reports.
On the 3rd day, we polished some of the proposed patches, based on feedback we received. Avinash Meetoo dropped by at around 3pm, and we had an interesting conversation. We celebrated a bit with champagne. On the 3rd day, we had some intermittent power outages. We took advantage of them by going out to hunt for food in nearby places ! I noticed how many did not bother to worry about food, due to the deep level of concentration they had reached !
At 5:30, we started tearing down, and packing our stuff. I could see how happy many of the members were. Overall, it was a very interesting hackathon, and I believe that we all learned a lot from the experience. I took some time to play in the pool, and then headed home !