The most convoluted hack
| 4 min read
Maybe once or twice a year an over-eager someone reports a security issue with one of my plugins. Cool, you might think. Someone who cares and helps!
Yeah, in their mind they are helping and doing a good thing. But more often than not they find such benign nonsense, things that are barely a hack, or not actionable.
Things like where I forgot to secure a specific link, but that link would only work for an admin user, and it would be to trigger a maintenance task. Not accepting any inputs. Or in other words, who cares if someone tricks you, or anyone, into clicking it.
Yes, that got reported two years ago… It was labeled as critical, too. And yes, the argument as to why it doesn’t really need fixing took way too long.
Because why would you be able to discuss their findings? Or why would you be able to try to explain that they have the context of the code all wrong? In my experience you can’t, it usually quickly devolves into borderline blackmail.
These self-important folks make me comply with their demands or they out me and my software as irresponsible, or how poor my software works.
So these days I just apply the fix they demand and get on with my day. I’ll spend as little time as possible on it because there is no talking to such people.
Ignoring them outright causes irreparable reputation damage. Since their actions ruin the software. WordPress plugin moderators, for example, commonly pull plugins offline over reports like this.
That said, hurting me or my software would be fine if the problem they found would actually be a threat to the real world, or affect any users in a way that matters. Even more so if I would refuse to fix the problem. But over the last 10-15 years my experience has been that these “security researchers” usually are inflexible and unyielding. Incapable of discussion or seeing the damage they might cause with their reports. All they seem to want is a +1 on their report card so they can show to the world how seemingly useful they are.
Just like this weekend. A vulnerability was reported so convoluted that it makes you wonder how it was even found. The attack method requires so much privileged access that at that point the hack is a pointless hassle. But yes, I did the update and applied the suggested fix without even trying to start any discussion. I understood the ‘problem’. And I didn’t argue this time, for it would be pointless. Never mind that with the required access there are several simpler ways to achieve the same goal.
Why? How? Well, for this hack to work the hacker would need to be in a position to create and run python scripts on the server. If an attacker can do that, there is literally no need to exploit the vulnerability. Just edit the files, make the changes you want, or upload other files to achieve your goal.
It also means that this ‘hack’ is the least of the website or server admin’s worries because they’re already in the files with all kinds of access to the system.
Now if this attack would be exploitable from a remote system, that would be a serious problem! But it’s not.
What makes it even less of an actionable vulnerability is that it requires a specific combination of plugins and settings to even work, and well, you get the idea - It affects practically no-one.
That’s not to say the vulnerability is fake. It also doesn’t mean that it should not be addressed. But, as usual, there is no real world threat. Solutions should be up for discussion. And there certainly isn’t a need to label it as high risk with a severity of 8.8 out of 10.
Luckily whoever found this exploit spent a whole lot more time on it than me. Making it their waste of time for the most part.
I could just spend 5 minutes on reading the email, 5 more minutes coming up with a fix, and then another 15 minutes to make the world a better place.