mask.of.sanity quotes a report from The Register: Up to a quarter of all websites on the internet could have been breached through a since-patched vulnerability that allowed WordPress’ core update server to be compromised. The since-shuttered remote code execution flaw was found in a php webhook within api.wordpress.org that allows developers to supply a hashing algorithm of their choice to verify code updates are legitimate. Matt Barry, lead developer of WordPress security outfit WordFence, found attackers could supply their own extremely weak hashing algorithm as part of that verification process, allowing a shared secret key to be brute-forced over the course of a couple of hours. The rate of guessing attempts would be small enough to fly under the radar of WordPress’ security systems. Attackers that used the exploit could then send URLs to the WordPress update servers that would be accepted and pushed out to all WordPress sites. Web-watching service W3techs.com reckons those sites represent 27.1 per cent of the entire world wide web. “By compromising api.wordpress.org, an attacker could conceivably compromise more than a quarter of the websites worldwide in one stroke,” Barry says. “We analyzed [WordPress] code and found a vulnerability that could allow an attacker to execute their own code on api.wordpress.org and gain access to it. Compromising this [update] server could allow an attacker to supply their own URL to download and install software to WordPress websites, automatically.” Attackers could go further; once a backdoored or malicious update was pushed out, they could disable the default auto updates preventing WordPress from fixing compromised websites.

Read more of this story at Slashdot.

Source: Slashdot – WordPress Auto-Update Server Had Flaw Allowing Persistent Backdoors In Websites