This month we had only two WordPress plugin exploits, but a couple of other troubling WordPress issues to be aware of. I also talk about Peloton, some good zero-day bugs closed by Apple, Google, and Microsoft, Facebook moves ads into VR, Google’s COVID tracker auto-install, and a trove of over 1 TB of stolen information is discovered and noone knows which malware to blame.
- Mystery Malware
There were only a couple of major plugin vulnerabilities disclosed this month, but this was still a very eventful month for WordPress.
First, the plugins:
- WooCommerce Stock Manager: A vulnerability in this plugin (installed on 30,000 sites) would allow an attacker to upload an arbitrary file to a website (which could contain malicous code) by simply convincing a site admin to click a specially-crafted link. This could allow for remote code execution and a site takeover. The vulnerability was fixed in version 2.6.0.
- WP Fluent Forms: A cross-site request forgery in this plugin would allow an attacker to take over a site. Exploiting this vulnerability requires some highly-targeted social engineering, so it’s unlikely to that this will be exploited at a large scale. However, you should definitely make sure that you have the patched version – 3.6.67 on your site.
There are two additional major security concerns for WordPress users and administrators this month: Jetpack and sloppy web hosts.
The biggest security concern for most sites would be the attempted hijacking of WordPress sites via the official WordPress Jetpack plugin. The Jetpack plugin allows users to connect WordPress sites to WordPress.com accounts for additional features. One of the most useful Jetpack features allows site owners to update or install plugins by logging on to WordPress.com instead of their own site.
Since reputable web sites are a great way for malware to spread, the WordPress.com accounts have become a target. So attackers, armed with lots of passwords from the many password breaches from the past decade, are now simply trying to see if any of the username/password combinations in those breaches were used for WordPress.com. If any site owners have reused passwords that appear in one of those breaches, then the attackers can easily log in and install malicious plugins on the site without the site owner ever knowing.
The two easiest ways to prevent this are to *never* reuse passwords and make sure that you’ve enabled two-factor authentication on WordPress.com.
A weakness in one web host leverages a single compromised account on a single website to infect multiple users and multiple web sites. There’s not much for an individual user to do, just be aware that with cheap hosting, you get what you pay for!
A company I haven’t talked about at all, Peloton is well known for their highly-praised fitness bike and their excellent app. However, their ability to make well-designed exercise equipment doesn’t seem to extend to security or customer relations.
First, their newly-released Bike+ has a vulnerability that would let anyone with physical access to the bike install malware that could capture a user’s credentials and upload them to an attacker. This is not a huge deal for users who own their bike and use it in their home, but this is a huge vulnerability for hotels, fitness centers, etc. that have Peloton bikes that can be used by many people in a day.
Remember, no attacker cares about your Peleton account, but if you’ve reused that Peleton password for your bank or email account, then you’re in big trouble!
Their Tread+ treadmill saga is a bit more worrying – both regarding physical safety and the idea of ownership over connected devices.
Peleton’s treadmills (which cost between $2,500 and $4,000) were recalled after an investigation by the US Consumer Product Safety Commission regarding 70 injuries and 1 death that the treadmills have caused.
Some users decided not to return the treadmill, and after a recent software update (that Peleton called a “safety update”), they were met with the “offer” to either pay $40/month to subscribe to the Peleton app to use their treadmill or return the treadmill for a refund. Prior to this update, users could select an option to “Just Run” which would allow them to use the treadmill like a standard “dumb” treadmill.
This is definitely not likely to endear them to current or future customers (some customers compared this approach to ransomware – maybe an exaggeration, but the similarities are true). It’s also worth noting that all sorts of IoT or connected devices have the potential to have a similar bait-and-switch performed. If a device communicates with a backend server that you don’t directly control, there’s little to stop a 3rd party from flipping a switch and making your physical hardware all but useless unless you agree to new terms.
Some good and creepy Android news for this month.
First, the good! Google has enabled end-to-end encryption for Google Messages, Android’s default SMS/RCS app. There are a few caveats to get encryption to work – both users must be using Google Messages, they must both have RCS turned on, and it only works in person-to-person chats (no group chats).
Now the creepy! For many users, their Android phones have installed a COVID tracking app, called MassNotify. This app was silently installed on lots of Android devices over the past week or two. Even though this app seems designed for Massachussets residents, it appears that it was automatically installed to non-MA residents, too. So, if you’re wondering, yes, Google can automatically install apps without your knowledge and permission.
Finally, if you have a Samsung phone, make sure you apply the latest updates! There are some known vulnerabilities in Samsung’s pre-installed apps that would allow hackers to spy on device owners.
The Chrome development team and Google’s Project Zero have been quite busy this month. Not one but two zero-day (previously unknown but actively-exploited) exploits were fixed this month. That makes seven zero-day bugs fixed so far this year!
Whether you like Chrome/Google or not, their work on security is exceptional. If you haven’t updated Chrome recently, make sure to give it a restart so you can get the latest (secure) version!
Despite a repeated lack of success with chat/collaboration apps (RIP Google Hangout, Google Talk, Google Wave, and Google Buzz), Google is trying it again! There’s a new GMail interface which integrated GMail, Chat, Rooms (like Slack) and Meet.
Google is also rolling out new protections for Google Workspace (formerly GSuite) users. The new features include phishing and malware protection and client-side encryption to protect your data.
Some more Stadia news – this time good(ish). Google Stadia now (finally) supports Android TV! This is good news for those that already own an Android TV device and didn’t want to buy the $100 Stadia Premier package, but it does seem a little bit late in coming. Why did it take 18 months?
Not to be outdone by the Google Chrome team, Apple has fixed two additional zero-day bugs this month, bringing their total count of patched zero-days to nine for the year so far. If you’ve not updated your iOS or iPadOS device recently, make sure you do!
One bug that hasn’t (yet) been fixed – a specially-crafted WiFi hotspot name can break an iPhone’s WiFi functionality. This isn’t terribly dangerous, since resetting the devices network settings seems to fix it, but it is definitely annoying. If you’re curious, here’s a look at how and why the crash happens.
If you haven’t installed the June patches for Windows 10, make sure you do that ASAP. Microsoft patched six zero-day exploits, some of which allowed an attacker to gain a foothold in a system by having a user simply open a malicious PDF file.
It looks like Windows 10 isn’t going to last forever.
Microsoft published an End-of-Life notice for Windows 10 Home and Pro this month. Currently, it looks like Windows 10 will be official “retired” on October 14 of 2025. In it’s place will be Windows 11. You can see some of the new features in Windows 11 here, and get a hand-on look at it here.
What’s a monthly review without Facebook doing something creepy?
This month, Facebook has started inserting ads inside specific Oculus VR games and apps. The ads use “first-party information from Facebook” for targeting. It’s a shame to see such a great platform fall prey to Facebook’s incessant data-mining, but it’s not a surprise.
One of the reasons the Oculus devices have been relatively inexpensive (compared to other VR solutions) is because Facebook wins 3 ways for every device sold: Facebook now has more “space” to sell to advertisers, more eyeballs on its ads (which means more impressions and potentially more clicks), and Facebook can increase their user count (since you must have a Facebook account to use Oculus). As always, if you want to fight Facebook’s behavior, vote with your wallet and your online activity.
Miscellaneous Privacy and Security
A trove of data – amounting to 1.2 TB – was discovered this month. More troubling, it’s not yet known what malware is responsible for this data.
The database contained 26 million login credentials, 2 billion browser cookies, 6.6 million files, and more. The data appears to have come from more than 3 million PCs. If you’re curious whether you’re data is included, HaveIBeenPwned have integrated the data into their database.
Anything I missed that was interesting? Questions? Let me know in the comments below or contact me directly.