Welcome to the Patchstack Weekly. It’s week 47 and this week we talk about incident response, Hide My WP vulnerabilities, and GoDaddy breach. This update is for November 25th, 2021.
This week’s news is about a breach at a major hosting provider that affected over a million WordPress websites, and I will cover a premium plugin with multiple vulnerabilities found by the CTO here at Patchstack, who knows a thing or two about vulnerability hunting.
I will then cover the importance of communication as part of security incident response, including both the legal and public relations angles. When done right, even bad news becomes good news, but you can not delay, because the news is fast these days and opportunistic competitors may try to control the narrative before you know it.
Vulnerability News
Hide My WP Vulnerabilities
This week’s vulnerability news highlights recently patched vulnerabilities in the Hide My WP plugin by wpWave. Patchstack’s own CTO, Dave Jong, has been working with the team over at Code Canyon and the developers of this premium plugin over the last month with his findings.
Dave released a great write up detailing how an HTTP Header ended up in an unprepared SQL statement, leading to an unauthenticated SQL injection vulnerability, as well as a quirky logic error that could end up allowing someone to disable the plugin (and thus, no longer hiding your WordPress site.)
Site owners using this premium plugin are encouraged to update to version 6.2.4. The update may not be automatic because this is a premium plugin, so it would be a great idea to double-check!
GoDaddy Breach
Now, on to more troubling news to disclose. GoDaddy, one of the top web hosting providers, recently filed a report to the SEC (Security and Exchange Commission) which outlines that they identified an unknown third party that had access to internal GoDaddy systems for over a month.
The attackers gained access to GoDaddy’s legacy WordPress management systems via a compromised password, with this access the attackers were able to retrieve passwords (not encrypted hashes, but the actual passwords), email addresses, and other secrets from up to 1.2 million WordPress websites.
If you host your WordPress site with GoDaddy or one of the WordPress hosting providers GoDaddy now owns (such as Media Temple, tsoHost, Host Europe, and others) then keep an eye out for an email with more details. They are notifying customers via email with recommended steps to follow, so keep an eye out for it, and maybe check your spam folders.
Weekly knowledge about incident response
Incident response, and communication
Security breaches happen, this is a given, and when they happen it is important to have a plan in place. That plan is called incident response in the infosec field.
A commonly overlooked part of incident response plans though is how the organization plans to communicate the issue with their customers and the general public. Communication should not be forgotten though, for one reason they help build trust with customers, but more importantly, there may be a legal requirement to do so.
While I will focus on the communication aspect of the incident response plan. This is not to downplay the actual remediation steps or the impact to affected site owners (which is substantial) but to share thoughts on how organizations should not neglect the communication step and be sure to plan this step ahead and not during or after an incident.
The good news is, shortly after the SEC report was released GoDaddy began notifying affected customers via email. It is unclear why the SEC report was the first public communication, but this led to some confusion.
For a few days, site owners on GoDaddy were full of anxiety and concern not knowing if their sites were affected. These customers knew there was a breach, but were unsure if or what action they needed to take.
We should acknowledge that sending mass emails to hundreds of thousands of customers is no simple task, so delays should be expected. The communication was simply done in an order that resulted in a lot of speculation by journalists and business owners in the community. That speculation could have been avoided, by contacting customers first and reporting all findings and details, when the investigation is complete, to the SEC.
An opportunity to learn
Business owners and security professionals out there can use this as an opportunity to learn more about the laws around reporting breaches in their local jurisdiction, and hopefully review (or create) their incident response plans.
When you look at your incident response plan, be sure you have a checklist of who to inform, in what order, and what sort of data should be shared regarding the incident.
I recommend you make sure it is written down, and you may even want to practice writing up example breach notification reports that communicate clearly to your customers that an incident happened, how you handled it for them, and that they are your top priority.
This practice and process may go unused for a while, but … in the inevitable event of a security breach, you will already know what to do, how to handle it, and how to communicate the incident clearly to retain your customer’s trust.
Thanks and appreciation
This week’s thanks go out to Dave Jong, the helpful team at Code Canyon, and the wpWave developers for patching multiple unauthenticated issues in the Hide My WP premium plugin.
A moment of appreciation and empathy is also extended to the GoDaddy security team and all of the customers affected by the breach of their hosting systems. This story is still ongoing, so there may be more details emerging soon.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!