Exploits Happen - A postmortem on our recent web vulnerability

Originally published at: https://mycroft.ai/blog/exploits-happen-a-postmortem-on-our-recent-web-vulnerability/

Exploits happen; we hate it when they happen to us. At around seven in the morning (US Central time) on April 10th 2019, we became aware that our main website was being redirected to a spam site, as a result of an unpatched plugin – Yuzo Related Posts (YRP). We immediately flipped our website into a secure fallback until we determined the source of the vulnerability. After we identified the attack vector, we restored from backups, patched all plugins, and removed YRP.

We feel that as an open and privacy-focused organization it is important to let others learn from our challenges, and hopefully avoid similar situations. We want to be as transparent as possible with our Community about this incident, both to allay any fears and to help others. This is one of the reasons we run all our Incident Reports publicly.

Let’s start with allaying fears

This appears to have been an automated attack, with the intention of hijacking websites to redirect them to spam, based off of the YRP plugin vulnerability disclosed on March 30, 2019. This attack exploited a developer using is_admin() to determine if the user was an admin. In fact, that check is meant to determine whether the current request is for an administrative interface page. Additionally, in the developer documentation for is_admin(), it specifically says that it “Does not check if the user is an administrator; use current_user_can() for checking roles and capabilities.”

Fortunately there is no indication of private data compromise as part of this exploit, just a hijack and a redirect. We’ve removed this plugin, and life goes on.

What takeaways did we have from this that are worth sharing?

We think there are three key things to learn:

  1. Ensure you have policies in place to periodically check and patch all software and plugins. We have very attentive and astute technical folks on staff, but we lacked a formal schedule for patching. This has been addressed. It is worth noting that this simple change may not have actually prevented the compromise, but having a plan (and an accurate software inventory!) ensures that all things are consistently updated.
  2. Automated vulnerability scanning/awareness systems are your friend. Though defensive tools require resources, so do incident handling and business recovery. We recognize the value of such systems, and are in the process of putting some in place.
  3. Even if you’re doing everything right, stuff happens. Before it does, make sure you are ready to respond to it and maintain business continuity while everyone scrambles in the background.

So that’s it! We look forward to continuing to provide amazing capabilities, and we’ll keep you updated if there are any unexpected developments.