fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

WordPress Force Installs Jetpack Security Update on 5 Million Sites

WordPress Force Installs Jetpack Security Update on 5 Million Sites

Automattic, the company behind the WordPress content management system, force deploys a security update on over five million websites running the Jetpack WordPress plug-in.

Jetpack is a remarkably popular WordPress plug-in that provides free security, performance, and website management features, including brute-force attack protection, site backups, secure logins, and malware scanning.

The plugin has more than 5 million active installations, and it is developed and maintained by Automattic, the company behind WordPress.

Also Read: How to Comply with PDPA: A Checklist for Businesses

No in the wild exploitation

The vulnerability was found in the Carousel feature and its option to display comments for each image, with nguyenhg_vcs being the one credited for responsibly disclosing the security bug.

No other details are available regarding this security flaw to protect the sites that haven’t yet been updated. However, we do know that Automattic addressed it with added authorization logic.

The announcement made by Automattic says the bug impacts all versions starting with the Jetpack 2.0 release and going back to November 2012.

The Jetpack development team added that it found no evidence that the vulnerability has been exploited in the wild.

“However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability,” the developers warn.

Jetpack patch
Jetpack patch

Automattic is force installing patched versions on all websites running vulnerable Jetpack versions, with most sites already having been updated.

“To help you in this process, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0,” Automattic said. “Most websites have been or will soon be automatically updated to a secured version.”

Currently, download stats available on the WordPress Plugins site confirm that the security updates have been pushed to most if not all exposed websites.

Jetpack downloads history
Jetpack downloads history

Also Read: In Case You Didn’t Know, ISO 27001 Requires Penetration Testing

Forced updates used to patch critical bugs affecting millions

This is not the first time Automattic used the automated deployment of security updates to patch vulnerable plug-ins or WordPress installations.

WordPress lead developer Andrew Nacin stated in 2015 that the company had used automated updates only five times since its launch.

Samuel Wood, another WordPress developer, added in October 2020 that Automattic used the forced security updates feature to push “security releases for plugins many times” since WordPress 3.7 was released.

This hints at the fact that Automattic deploys forced updates to patch plug-ins used by millions of sites against critical security vulnerabilities.

For instance, in 2019, Jetpack received a critical security update to fix a bug in the way the plug-in processed embed code.

Another security update addressed an issue found during an internal audit of the Contact Form block in December 2018. A May 2016 critical security update patched a vulnerability in the way some Jetpack shortcodes were processed.

In related news, in 2018, threat actors also found a method to install backdoored plugins on WordPress websites using weakly protected WordPress.com accounts and Jetpack’s remote management feature.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us