slavco
slavco
Sep 9, 2018 · 4 min read
PR person in action!

Punter is interesting word. Have two meanings:

  • In the US/Canada means football position
  • In England/Europe means person who places bets

Well those meanings have something in common e.g. when punters fail in their actions, then consequences are quite big towards their surrounding. Now, it is time to reveal the punters. Yes, you guess! They are WordPress security team and their PR person a.k.a. security team lead who is remarkable person, baked e.g. put on that position by two big authorities!

Intro

For those who don’t want to see the complete video I’ll put the major points from it e.g. things that lead towards this writing and are real proof regarding the fact how much centralized+corrupted this eco system become!

https://videos.files.wordpress.com/R6JqEiTB/video-6a9a3f3ccc_hd.mp4

  1. Ghetto: Hackerone
  2. Gang: 50+ members security team (should be extended with members of another popular plugins)
  3. C&C server: Centralized update mechanism

Ghetto: Hackerone

In the presentation is told the flow e.g. the live cycle of security issues reported towards a “team” and tools used. At the top is placed H1 and below there are all of the remaining tools / systems which are more than enough for controlling and handling security of one software. From my and another researchers experience, H1 is used as (don’t think it is abused by WordPress, H1 has nothing to do with “Responsible Disclosure” — foundation of the platform) extremely effective tool for silencing the reporters towards WordPress project and for evasion of responsible disclosure rules. Usually this is the case:

  1. Bug is reported
  2. Triaged
  3. Radio silence for 3 months at least
  4. Security team asks for extra 3 months
  5. Reporter hits mediation
  6. Got their 3 months from support
  7. Radio silence
  8. Disclosure

There is no need to believe me (read another posts here regarding WP, all of them are 0days/not fixed today), check this presentations from Orange Tsai and Sam Thomas, 0days too. Check the not patched DoS issue. Check the obscure updates from Scott Arciszewski. Check the REST API… (fuck I haven’t reported this one yet O_o).
Conclusion is the following: Neither one of the severe issues that are result of BROKEN core are fixed, neither bounty is given and H1 and its personal are used only as tool for silencing researchers and delaying of patches! Neither one time WP “security” team have requested help from anyone for applying patch under normal conditions! They “cooperate” while they steal from you (rant master and PR person show) or when split credits for nothing (PR person fence).

Gang: security team

Security team as PR peson states it counts 50+ persons. They are some faces from wp community (selling them self as wp security experts), but also there are people from some of the acceptable companies, not everyone is welcomed there (there are millions installs plugins that doesn’t have anyone there, but there are ones who “sponsor” camps and place silent patches before an others — it is open source morons )! As some of them state: “If it is reported isn’t 0day”, which is absolute truth! This means my fellow hosting providers, plugin and theme developers that you are loosing e.g. you are always step back with your competition if they have their own member there or are close with someone from the gang! This means, they have a year at least advantage to apply best security practices in their products, gain huge advantage, lowering their costs and building their brands!

C&C server: centralized update server

Here there isn’t too much need to be spoken. This system is used to push updates for their (gang) own sites, for their broken themes and plugins, while the rest are leaved to face their destiny: ban from wordpress repository and hard wiping from news outlets (regarding outlets there are some information's yet to be revealed… ). Regarding “security” of the web sites, please note that updates aren’t push everywhere at the same time, they go step by step. What do you think, is there some order maybe? Can update system be abused from someone to reach your infrastructure? :)

WordPress community — cracked

Many people have faced the arrogance and egoism from WordPress security and core team. They feel the pain, the know the place is getting centralized, they know it will be worst than it is. They know their word isn’t heard from anyone. They know that good intentions are always abused by them. They know when wp “authorities” are kind there is something much more…

That is why cracks in the community are obvious. There is first promising fork of the WordPress — ClassicPress. There are few another I’m aware of that are preparing for action! I know there is a “core” group ready for coup… Interesting times ahead of us and no, it isn’t your fault, go continue be yourself on some of the upcoming forks, new projects or maybe on refreshed WordPress!

Sorry!

No song…

Advice

In case you want to increase your WP systems security you can get few points from above. I would advice to track in details fixes that are pushed by WP puppets, always have dummy / honeypot wp instance (for updates and attacks) and never trust words and empty promises!

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade