November 2021 Tech/Security Roundup


WordPress

Plugin Vulnerabilities

  • OptinMonster, a plugin with over 1 million installations, has had several vulnerabilities discovered. There are a few different vulnerabilities, but they would allow any site visitor to export sensitive information from the website or to insert malicious JavaScript, that would then be served to other site visitors. OptinMonster is a plugin designed to make it easy to create sales campaigns. The patched version is 2.6.5.
  • Starter Templates, another plugin with over 1 million installations, has had a plugin vulnerability disclosed this month. The Starter Templates plugin allows site owners to import templates for various site features and includes templates for Elementor, Beaver Builder, and Gutenberg page builders. The vulnerability would allow any Contributor-level user to overwrite any page with malicious code, that would then be sent to other site visitors. The patched version is 2.7.1.
  • NextScripts: Social Networks Auto-Poster, with a mere 100,000 installs, had a cross-site scripting(XSS) vulnerability patched this month. This vulnerability could allow a legitimate administrator to inadvertently insert malicious backdoors or administrators into their site without their knowledge simply by visiting a specific URL. This vulnerability is fixed in version 4.3.21.
  • WP DSGVO Tools (GDPR), is a plugin that is designed to make it easy to deal with user information and the GDPR regulations. WP DSGVO Tools had an actively exploited XSS issue that would allow an unauthenticated attacker to delete any post arbitrary posts or pages on the site. This plugin has 30,000 installs – the patched version is 3.1.24.
  • Preview E-mails for WooCommerce is an extension for WooCommerce (not the main WooCommerce plugin) with 20,000 installations that makes it easy to preview email templates before sending them. This plugin had an XSS vulnerability disclosed this month. Like with the Nextscripts plugin, this XSS could inject malicious code into a page if a logged-in administrator could be tricked into clicking a specific link. The patched version is 2.0.1.

GoDaddy

A few days ago GoDaddy disclosed that an attacker had gained unauthorized access to GoDaddy’s Managed WordPress sites, impacting up to 1.2 million WordPress customers. In addition to GoDaddy Managed WordPress sites, six resellers (tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe) that are brands managed by GoDaddy were also impacted.

Access was obtained by using a compromised password and exposed email address, customer numbers, original WordPress administrator passwords, sFTP and database usernames and passwords, and SSL private keys.

You can read more about the data breach here.

More Attacks

According to a report by WordPress security firm WordFence, login attacks against WordPress sites are increasing. This attack increase is being led by AWS and other cloud services, which make it easy for attackers to automate and scale up attacks.

According to the WordFence report, about 77,000 IPs are part of this increasing attack vector, with 40 IPs being responsible for 1 million attacks each since November 17th of this year.

This is a great reminder to make sure that one of the best ways to keep your site safe and secure is to make sure you have a long, unique password.

Google/Android

Huawei AppGallery Malware

It looks like the discovery of weak security in Huawei’s app store (AppGallery) was a ticking time bomb. A large malware campaign has been discovered on AppGallery which has infected approximately 9.3 million devices. The malware was found in at least 190 apps and is capable of exfiltrating sensitive user information, intercepting SMS messages, and installing additional malware.

Vulnerablity in 40% of Devices

A bug in Mediatek’s processors has been patched – but that’s cold comfort to the millions of devices that will likely never be updated. The vulnerabilities would allow attackers to eavesdrop on phone calls, elevate privileges, or execute arbitrary commands. Mediatek processors are present in 37% of smartphones globally.

While Mediatek has (to their credit) patched this vulnerability, Mediatek processors are used in lower-end phones. Since many of these never receive updates, they will always be vulnerable to these attacks.

Encrypted Phone Calls

It looks like Google Fi is getting encrypted phone calls – under certain situations. Both users will need to be using Google Fi on an Android phone for this feature to work, but it should happen automatically in the coming weeks.

Foldable Pixels in 2022?

An interesting rumor is developing for the 2022 Pixel – there may be a foldable version. This corroborates some of the software rumors, with Android 12L incorporating features for tablets and foldable devices.

Blocking 3rd-Party Trackers

While Apple’s new App Tracking Transparency is a pretty big hit with users (and a nightmare for advertising companies and Google), but there’s no such feature in Android.

However, a new feature in DuckDuckGo’s Android app will alert and block 3rd-party trackers in Android apps that you use. Click here for more information about the feature and information to sign up for the limited beta.

Wear OS Progress

Google’s Wear OS went through a bit of a shakeup earlier this year, with Google and Samsung teaming up to improve both the hardware and software features of Wear OS devices. It looks like it’s paying off, with Wear OS market share jumping from 4% in Q2 2021 to 17% in Q3 2021.

One OEM Updates six-year-old Android

While the Pixel 6 was a bit of a disappointment in the long-term support category, there’s one Android OEM that’s showing how it should be done. Fairphone announced earlier this month that it would be releasing Android 10 for the Fairphone 2 – a six-year-old device. It took a lot to make it happen – including enlisting the help of the open-source community – but it shows that it is possible. Most companies just don’t want to spend the money.

Windows

If you needed a reason to update to Windows 11, it looks like the most recent Windows 11 update includes new emoji (which includes a Clippy emoji). Wow.

Apple

Apple made a surprise move this month by announcing the Self Service Repair program, which will “allow customers who are comfortable with completing their own repairs access to Apple genuine parts and tools”. While Apple’s blog article indicates that this program is primarily for technicians and not for your average consumer, it is still a welcome change.

Netgear

A vulnerability in about 80 different Netgear devices could potentially allow an attacker to log in to the router’s administrator interface and local network. While this doesn’t sound bad, remember that access to a local network is the first step in many ransomware attacks, so if you’re using one of the (many) affected devices, you’ll want to patch it immediately.

24 Hours to Compromise

That’s how long it takes (on average) for an exposed device to be targeted by attackers online, according to a study by cybersecurity firm Palo Altos Networks.

They set up 320 honeypots (intentionally vulnerable devices) in July of this year to test the attacker’s speed at exploiting vulnerabilities, and they were not disappointed. SSH vulnerabilities were targeted within 3 hours of a honeypot appearing online, and attacks happened about every 2 hours. This shows the massive job facing security teams – who may take days (or longer) to deploy security updates in large institutions.


About Colin Dorman

Colin is a freelance horn player and teacher, as well as a fan of tech of all sorts, aviation, and increasingly complex flight simulators. He also enjoys beer, bourbon and fitness - but not at the same time. You can find him on Facebook, Twitter, as well as right here at ColinDorman.com!