Stanley Westerveld

@cloudsafe365 (whoever their representative on this forum might be)

If there is anything inacurate about this post stream, than that’s due to the way you communicate about this issue. You are correct, you provided a fix very fast. From then on however, you were lacking in your communication towards your users.

The things you did right:

– You provided a quick fix
– You eventually added the fact that there was a security incident in the change log
– You informed your users about a security issue on your blog

However, you did not inform your users about the impact of what happened, nor did you advise users to change their passwords and /or salts.

Sorry for being a pain in the butt, but really, there still are 500-1000 users who potentially had/have sensitive information exposed. Just telling them to upgrade is not enough.

Due to this issue I could read the WordPress config.php on cloudsafe365.com. Did you (cloudsafe365) change your password and salts? If not, all it would take me to take control of you WordPress installation is some other vulnerability that allows me to place some arbitrary file on your installation. Such a vulnerability *will* arise some day, either through WordPress itself, some third party plugin, a PHP vulnerability or a Apache/Nginx vulnerability.

If you changed your password, why don’t you tell your users to do the same? If you did not change your password, what makes you think you don’t have to?

Just to be clear: I saw your password but didn’t write it down or memorize it. I don’t have any bad intentions, I am just concerned about the way you are dealing with this issue towards your users, especially since you provide a security service, be it a paid or a free one. The average user tends to trust that you, the one offering that service, will do the right thing. You have not done all the right things yet.

Please, instead of publicly ignoring good advice here in these fora, start informing your users about the impact and about what they need to do besides upgrading the plugin. After all, advising your users about how to handle security issues is the business you are in isn’t it?

If you would like to take this discussion somewhere else, feel free to contact me. I changed my profile to show my real name instead of my nick, just Google it and you will be able to contact me.

It would be nice (<- that’s an understatement…) if the fix would be mentioned in the change log. At the moment the change logs give the impression that the latest versions only introduced some performance tweaks, no mention of a serious security problem and the need to upgrade a.s.a.p:

= 1.47= * Bugfix: removed some old latency flile in the system. * Improvement: sped up coms system. * Improvement: Added faster capabilities to dropbox.

I assume that “latency file” should actually read “legacy file”, but even if that assumption is correct it would only tell half the story. The legacy file actually left blogs with a gaping hole. Bad communication.

Users should be informed about the potential impact of that legacy file lying around, they should be told to change their (database)passwords and salts, and if cloudsafe365 really want to help their users they should inform them about how to investigate their logs for traces of abuse through the legacy file.

Security is not just about technique, it is just as much about open and straight forward communication and honesty, i.e.: Doing the right thing, even if that means you’ll have to pay the piper.

What I see here looks more like a coverup, “fix and move on”…

Actually, this plugin contains is badly coded and allows anyone to view arbitrary files within your WordPress installation. If you want the whole world to be able to view your config.php and the like, I recommend installing the plugin. If sharing all your configuration details with the whole world sounds like a bad idea to you though, do not install this plugin!