I’ve always been curious how open and proprietary content management systems handle critical hacks, whether of the core CMS or third-party plugins/extensions/modules/etc. It is an amazing part of any ecosystem since there certainly can be room for mischief and competitive advantages. What’s great about open source projects in general is the sense that a project is as strong as its weakest link. The interconnected WordPress ecosystem really looks out for each other and we were able to see that in real-time with the recent Elementor Pro hack that effects ~1,000,000 websites.
Depending on your timezone, a critical role escalation vulnerability was discovered and announced May 6 by Wordfence. It’s important to note that they weren’t exclusive in this awareness.
What makes this vulnerability timeline very interesting is that this was a zero day active exploit. The worst kind. This means it was just discovered and is being taken advantage of by malicious actors right now. The general good citizen rules say that the vendor of the solution should be informed, patches created, and notification from the vendor to potentially impacted users. There is no time with “zero active!”
I reached out to Wordfence to get a little more insight into the process for handling “celebrity bugs” as Mark Maunder likes to call them.
In a global world, timezones can make life complicated, the general timeline went as follows:
- Wordfence notices chatter regarding a new exploit
- Wordfence verifies chatter against logs
- Wordfence notifies Elementor (doh! big timezone difference)
- Wordfence develops, tests, and deploys rules
- Stupid timezones still inhibiting communication while active attacks are occurring
- Confirmation from Elementor
- Exploit announced
In a perfect world steps 3 – 6 would be happening concurrently but in all honesty this was an insanely fast level of mitigation that occurred for an active hack.
To bring this around to why it’s especially special in open source is that all of the vendors involved actually know each other personally and are appropriately considerate and reactive to surprises like this. Open source communities foster these kinds of ongoing connections via in-person and virtual events, forums, and a mutual love and admiration of their respective projects. These personal networks can speed up the process and benefit everyone.
Some lessons for everyone, get connected and stay connected with the providers of your solutions. If you are a plugin developer, get to know all the security teams out there, create simple and direct methods of communication, you don’t need to have bug bounties but recognize the work by security professionals (Elementor had some great retweets acknowledging Wordfence), and be transparent.