If you (or anyone you know) are one of the people that uses AMP for WP — the extremely popular Google Accelerated Mobile Pages (AMP) plugin — you NEED to update your plugin as soon as possible!
Recently, AMP for WP was subjected to a massive security vulnerability that put all +100,000 of its users at risk.
Today, we're going to look at the vulnerability, discuss its implications, and give all WordPress users a critical piece of security advice moving forward.
The Calm Before the Storm
This unusual affair started on October 21st, 2018, when AMP for WP was unexpectedly pulled from the WordPress plugins page. Instead, users were greeted with the text "This plugin was closed on October 21, 2018, and is no longer available for download," which is uniquely strange for anyone that's familiar with WordPress's platform, as a major portion of WordPress's mobile functionality (in relation to speed) is hinged on this popular plugin.
As users flooded to the comments section to attempt to decipher what was happening, the AMP for WP dev released a statement. According to the developer, there was "a security Vulnerability in our plugin which could be exploited by non-admins of the site."
Obviously, this was cause for concern for the over one-hundred-thousand users who leveraged the plugin to improve mobile speed. The ominous message was followed by an unusual pitch: AMP for WP developers were giving users download links for the plugin outside of the WordPress platform.
In the same statement, they insisted that: "will submit the new code which will be reviewed and released within a couple of days" followed by the ever reassuring "there's no need to worry."
A couple of days turned into a couple of weeks. In fact, the updated version of AMP for WP wasn't available until November 14th, 2018, which means that it took the developer a full month to patch the flaw. During this month, the publisher was still pushing users to download the plugin, and all of those users that already had the plugin were hyper-vulnerable.
Remember, this vulnerability had existed before. But, when they made their statement and announced the vulnerability to the world, spending over a month finding a patch puts their users at a serious security risk.
So, what was the vulnerability?
When we talk about vulnerabilities, we tend to think about them on a scale. The AMP for WP vulnerability broke the scale. Some vulnerabilities require specific scenarios in order to duplicate and nuance techniques to utilize. This was not one of them.
While the developers were busy telling users that the results were "temporary" and they would be fixed "within a couple of days." They also told their users that they could "continue to use their plugin as normal."
The vulnerability couldn't be so bad, right? After all, the developers say it's a quick-fix and users can continue on with no problems. Wrong! Not only was this vulnerability significant, but it made every website and online store (using it) that had the ability for users to register entirely vulnerable to attack.
Why is that?
AMP for WP allowed any registered user to call an ajax hook that let them change critical plugin functions without checking for their user role. So, whether you're a guest that simply registered to make a comment or you're a writer-privileged account, you could abuse the weak code in the plugin to make significant changes to the WordPress website or blog.
- Installing mining bots
- Installing malware
- Inject advertisements
- Creating backdoors
Luka Šikić from WebARX — who found the vulnerability — wrote the following once AMP for WP was finally put back on the WordPress marketplace. (note: this was done to help prevent hackers from abusing the code weaknesses pre-fix)
In WordPress plugin development, you have the ability to register ajax hooks which allows you to call functions directly on wp-admin/admin-ajax.php?action=action_name.
Unfortunately, on AMP for WP:
Every registered user (regardless of account role) can call ajax hooks.
Which meant that:
All credit to WebARX and Luka Šikić. Read their original post here.
A Look at the Storm's Damage
Now that we're all caught up, let's take a look some of the major problems surrounding this entire vulnerability.
Of course, the vulnerability itself was a problem. In fact, this wasn't the first time this exact vulnerability was abused. A little over a week earlier WP GDPR Compliance was compromised via a similar vulnerability path (users calling ajax hooks without privilege checks.)
But, the real threat here isn't the vulnerability (which is a big deal!) it's the situation. Not only was AMP for WP facing a massive vulnerability issue on a massively popular plugin servicing over +100,000 people, but they also continued to urge users to download and use their plugin before it was patched.
Now that it's back up, it's turned into a "bygones will be bygones" sort of situation — which is unfortunate for such a massive CMS plugin developer.
WordPress's ability to control security issues is an obvious — and continually ongoing — issue. This year we saw WordPress vulnerabilities rise substantially (3x more!) and the primary source of those vulnerabilities was plugins.
If WordPress wants to halt the extreme number of vulnerable plugins that seem to be floating around in their ecosystem, they can't allow behavior that blatantly puts their users at risk.
We understand, AMP for WP is an important plugin for mobile site speed, but the developers shouldn't be able to tell their users "not to worry" and to "continue using the plugin like usual" if there is a KNOWN issue.
As usual, WordPress is facing another plugin issue. Leaky 3rd party plugins tend to be the majority of WordPress's vulnerability problems. Unfortunately, WordPress is becoming more vulnerable year-over-year, and that number will continue to rise if more isn't done to protect their users against malicious 3rd party apps.
For now, we heavily recommend that all AMP for WP users download the latest patch. To be safe, we suggest disabling registration until this current set of vulnerabilities has disappeared for a while. Again, there have been others in the last month that abuse this same pathway.
Are you looking for a safer CMS option? Contact us.