11 comments

[ 3.2 ms ] story [ 37.1 ms ] thread
Maybe someone gained svn root? http://svn.wp-plugins.org/

The problem is while WordPress has evolved to a secure way of not storing passwords but instead the salted hash, new passwords (and resets) are still sent in the clear via very insecure, plain text email, and probably archived forever on some services like gmail, hotmail, yahoo, etc.

Three plugins with non-overlapping developers (as far as I can tell), but I suppose that doesn't really decide anything.
This could be as simple as a piece of software they all tried being malicious. Even prominent plugin authors are vulnerable to malware pretending to be a shiny new toy.
I can't comment on how the accounts were compromised (As I'm not part of those investigating) however I'm pretty sure I can say it's the accounts that were compromised (As the commits came from the plugin owners accounts) and not the svn server or svn root.

It looks like certain accounts were compromised, how? I don't know, It could be anything from the users having weak passwords, or even MITM attack/sniffing (Unsecured Wireless anyone? - I bet most of these authors have been to a WordCamp or 2) - But like I said, I don't know how, that's pure speculation.

WordPress.org (and the WordPress Software itself) has not sent passwords in emails for awhile now, except in cases where it's absolutely required.

When a user forgets their password, a email with a single-use url is sent, that link allows them to change their password. Yes, If their email is compromised, their account can be compromised.

When a user changes their password, It is not sent via email to the account owner or site administrator.

When a New install is created, If the user enters a password during the installation process, their password will not be sent via email. If they leave it at the default randomly generated password, it WILL be emailed to them, and they'll be asked to change it upon next login, They're expected to change it when they login.

If a new user is added to a WordPress installation, and the admin sets a password, they can choose to send an email to the user with their details.

It's all weighing usability vs. security against each other, the cases where WordPress Core sends emails right now that includes a password, is very minimal (and only in cases where it's actually required).

Some people choose to disable the password reset process entirely on their installations, If you have server access, or a decent ammount of knowledge, often it's an undeeded component.

"It looks like certain accounts were compromised, how? I don't know, "

Maybe they all had Playstations?

It seems it is time to do away with password authentication and start thinking in terms of pubkeys. I recently disallowed all password logins via SSH for all the machines where I can do this. Next, I am looking into authenticating sudo via ssh-agent through PAM (seems the code to do this is not available in standard Ubuntu repos).

If only more places were OpenID enabled, there would be less passwords to protect for the web.

Hmm, so what happens when your OpenID password or provider gets hacked?
I currently run my own OpenID end point and once anything but HN and Stack Overflow starts supporting it I will probably add two form auth and use client-side certificates for authenticating with it. Also Google supports two factor auth now and they are an OpenID provider too.
This is the timeline I see from when it happened?

http://plugins.trac.wordpress.org/timeline?from=06%2F21%2F11...

http://pastebin.com/raw.php?i=G06rbb5a

Actually, maybe that is the reversion log, yeah it is.

Trying to find what they did:

http://plugins.trac.wordpress.org/changeset?old_path=%2Fw3-t...