WordPress.org plugins hacked


Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)

They also offer standard good advice:

As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.

Second, if you use AddThis, WPtouch, or W3 Total Cache and there’s a possibility you could have updated in the past day, make sure to visit your updates page and upgrade each to the latest version.

WordPress has had similar problems in the past, including an occasion when a fake “new” version was rolled out with a backdoor in it.

Meanwhile Dropbox, the digital locker service, has had to face the fact that it broke its own authentication system for four hours on Tuesday – which meant that anyone could log in to anyone else’s account. Dropbox says that it thinks only 1% of people logged into accounts in that time, though of course it doesn’t know if they were the ones who were meant to log in to them.

Many people might say “no harm done – all that’s happened is that someone might stick some files in your Dropbox.” Yes, or read them. Or, as someone suggested, stick a malware-infected file in. It’s a bad lapse for Dropbox. There’s enough hacking going on as it is without this.

Advertisements

About Naveen Thakur

A Wandering Geek Soul.

Posted on 23/06/2011, in Hacking, News and tagged , , . Bookmark the permalink. 1 Comment.

  1. lolz kya bat kar raha hai…..

    thank god i didnt have installed these plugins..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: