It's like the cops telling the robbers how they can break into a place.
Why would a "cybersecurity firm" release newly discovered Zero-Day security holes—without giving anyone a chance to create a patch?
That's a really good question being asked right now by angry WordPress developers and programmers around the globe.
WordPress, by the way, is the most popular content management system (CMS) on the planet, with nearly a 60% market share in the space.
Cybersecurity firm publishes POC related to web vulnerabilities
The company in question, White Fir Design LLC, offers a cybersecurity product called Plugin Vulnerabilities with the tagline, "A service to protect your site against vulnerabilities in WordPress Plugins."
Plugins are add-ons to a website's functions and features.
WordPress plugins are created by developers and often shared for free or at a low cost to benefit the rest of the WordPress user community.
In many cases, these plugins are developed with code that can be exploited by hackers. That is trouble enough.
Now, however, Plugin Vulnerabilities is publicly publishing its proof of concept (POC) documentation on how these new security holes can be exploited.
Hackers are in turn using this information to develop malware that attacks WordPress websites.
One of the most recent public revelations includes security holes in a plugin called "Messenger Customer Chat," which allows you to use Facebook Messenger to chat with customers on your WordPress site. Also recently revealed by the company is "Facebook for WooCommerce," an e-commerce plugin for WordPress sites that also integrates with Facebook.
Why would a security firm release Zero-Day exploits?
There is a lingering question here: why would a so-called security firm do something like this?
On its Plugin Vulnerabilities web forum, the company says it is taking this action because WordPress refuses to take cybersecurity seriously and the website company essentially had this coming:
"An unfortunate reality when it comes to the security of WordPress websites is that the people behind WordPress have for years refused to take actions that would largely resolve major security with WordPress plugins and that has lead to far too many websites being unnecessarily hacked.
We have tried for years without success to work with them to fix those issues. There reason for refusing to leave those problems unfixed have never really made sense, as among other things, we have offered to do most of the work for them to get them resolved."
Interestingly, in this same post that expresses moral outrage over a lack of security, it lists a whole bunch of bullet points on how its security service can protect you and your website from these unresolved issues.
What is WordPress doing about security vulnerabilities?
A post like the one above does bring up a question worth examining. What is WordPress doing about improving the cybersecurity of its core code and of WordPress plugins?
When it comes to the core WordPress language, WordPress has teamed up with bug bounty program HackerOne to pay those who report new security vulnerabilities:
"Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program," says WordPress.
[This is how to report vulnerabilities on the WordPress Bug Bounty Page.]
When it comes to plugin security, at the center of this fight, WordPress has published specific guidance:
"If you find a plugin with a security issue, please do not post about it publicly anywhere. Even if there’s a report filed on one of the official security tracking sites, bringing more awareness to the security issue tends to increase people being hacked, and rarely speeds up the fixing."
This is the exact opposite, of course, of what the "security firm" is doing. And it may be a big reason the researcher involved is doing it. WordPress forum moderators have repeatedly banned the researcher for publicly posting details about security vulnerabilities.
WordPress asks users to contact plugin creators directly (if known), and also provides an email specifically for reporting plugin issues to the WordPress team itself, if necessary.
[This is how to report WordPress plugin security vulnerabilities.]
Posting POCs of security vulnerabilities is a gift to hackers
Sadly, the biggest winners in this WordPress feud appear to be hackers.
Examples of this are discussed in a Medium post which says the "security firm" is seriously undermining the security of the WordPress ecosystem.
"Instead of reporting developers about the vulnerability, so they could fix it before the disclosure (usually considered as responsible disclosure), pluginvulnerability.com intentionally posted the proof of concept on how to exploit the plugin and shared it on Twitter.
As far as we can tell, they made no attempt to contact us, and no attacks took place until they published their proof of concept. They single-handedly handed the exploit to hackers." — developer of the Social Warfare plugin
In cybersecurity, we know there are different categories of hackers: white hats, who find vulnerabilities and report them, to make security stronger; and black hats, who find vulnerabilities to inflict damage and profit themselves while hurting others.
Which category does this 'security firm' belong in? Let us know
Editors' Note: We put the term "cybersecurity firm" in quotes throughout this article on purpose. At our SecureWorld cybersecurity conferences, we work with over 150 different cybersecurity vendors who are passionate about making organizations secure. From where we sit, they operate much differently than this "cybersecurity firm."
