Why the WordPress REST API user endpoint still isn’t fixed and 20170113 Vulnerability Report

Not as many vulnerabilities to report this week (that’s good, right?).  Just four.

20170113 Vulnerable Plugins Report

I would like to mention that one of the security items fixed in version 4.7.1 of WordPress this week isn’t as complete as it initially sounds.

The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.

As I have mentioned a couple of times, exposing your user data publicly is a bad idea and goes directly against OWASP A6 Sensitive Data Exposure.  From the changelog (quoted above) it sounds like in v4.7 your user data was only exposed if the user had authored a public post, but that’s not correct.  When I first heard about the user endpoints in the REST API, I discovered that all users who were capable of publishing were exposed, even if they had never published anything (and don’t forget: your first admin user is automatically added as the author of the example post when installing WordPress). In the v4.7.1 fix, they’ve changed that to be only post types that are to be shown in the REST API, but don’t forget that the default post type is included automatically.

WordPress User details
a WordPress Editor who has never published a post

The above screenshot is from a version 4.7.1 WordPress site that has not had the user endpoints removed. As you can see, the account adamsmel does not have any posts.  In fact, this particular site is brand new and doesn’t have any posts, published or draft, at all.   However, when querying the REST API for users, her account still shows up.

User account still shows up in the return from the REST API user endpoint

 

 

 

 

 

Now, it’s possible that the change introduced in version 4.7.1 only affects new user accounts that are added after the 4.7.1 update is applied, but that still leaves millions of sites at risk of exposing their usernames.

I love the REST API; I truly do, but considering the amount of information potentially exposed, it has to be done securely.  Until the REST API can be placed behind authentication, then the WordPress core team needs to remove the default post type from automatically being included in the REST API and remove the user endpoints.  Give developers the ability to expose those endpoints if they want, but don’t make it the default for the millions of WordPress installations that will never see a developer.

20170104 Vulnerable plugins report and WordPress in 2017

I do these updates and vulnerable plugin reports for the University of Missouri campus and thought I’d include them here as well.

Everyone should be updated to WordPress version 4.7 by now.  If not, please do so as soon as you can.  Lots of new, exciting features were added: WordPress 4.7 announcement and changelog.

If you didn’t follow Matt Mullenweg’s State of the Word this year from WordCamp US, you can watch it online (jump to 1:22:27  to see me question Matt on WordPress security issues).  If you’re interested, I also wrote up my key take-aways from WordCamp: Part 1 and Part 2

One of the big announcements from Matt was that he is taking back over as product lead for 2017 and that there will be no scheduled releases for WordPress in 2017.  Instead, the core team will be focusing on a simpler, faster UX (specifically the post editor) and more power for developers.  Minor point releases for bugs and security issues will be released as necessary, but large point releases will not be on a schedule. 

One of the big announcements for v4.7 was the core team added multiple content endpoints for the new REST API.  Unfortunately, one of those endpoints is users.   This means that anyone can remotely query your site for a list of your users.  Despite all of our efforts to lock down this sensitive information leakage, WordPress has added yet another way to retrieve this information.  To disable this “feature”, add the code from this gist into your functions.php file in your theme.  

You also might have heard quite a bit recently about the remote code execution vulnerability inside of PHPMailer which is included in WordPress core. While it is a critical vulnerability, several pieces have to align correctly in order for it to be exploited inside of WordPress.  An attacker would either need to combine multiple successful attacks, or already have an admin account on the site.  And if they have an admin account already, you’re already in trouble.  I mention it because WordPress will be updating their version in the coming days so make sure to update as soon as it is released.  More importantly, I would begin looking through your theme and plugins to see if they have included the vulnerable version.  If so, I would suggest manually updating the PHPMailer version, or discontinue use of the theme/plugin until that file has been updated.

Last, but not least, the vulnerable plugins report for 20170104:

https://docs.google.com/spreadsheets/d/1It-bOSM3AR_PVjKINvCe0bhiePEgT6L1EC4Sq3UxBIQ/edit?usp=sharing

WordCamp US 2016 recap, part 2

Me asking Matt Mullenweg about the lack of security presentations

This is part 2 of my recap. Be sure to checkout part 1.

One thing I forgot to mention about Chris Lema‘s presentation from part 1 that stuck with me is:

If there is something new you want to start doing, attach it to a good habit you already have.
— Chris Lema

The thought is that by attaching the new action to your previously established habit, you’re more likely to integrate the two items together and adopt it.  As someone who is fairly regimented, with several established habits, I’m excited to test out this theory.

Day 2 started off with, in my opinion, one of the best presentations of the conference: WordPress & SEO in 2016 by Joost de Valk.  I had the pleasure of meeting Joost Thursday night.  Incredibly funny, nice guy. And he was full of remarkable advice. Canonical links are extremely important, and should be added to core.  He busted some myths: @google will not find everything by itself. Link to your content! From inside and outside your site.  Luckily, Joost said that sitemap.xml are going to be built into WordPress core.  

“Not having a mobile friendly site is like taking a knife to a gunfight”
— Joost de Valk

He went on to say that you should not use more tags than articles; it just doesn’t work for SEO, and that fewer tags/category/taxonomy terms is better than too many.  In addition, you should have a post or page for each topic.  He left us with two last bits of advice. First, find good, old content on your site, update it, making sure it’s content and information is up-to-date and then change the publication date. Second, think of your most important keyword, determine which page on your site should match and then test via ‘keyword site:yourdomain‘.  For example wpdirauth site:gilzow.com.

Next up was Blogging – The Best Thing I’ve Done as a Developer by Sal Ferrarello, and a major reason why I’m writing these posts.  The major focus of the talk was any time you have a problem and need to research it, take a moment and write about it.  Specifically,

It doesn’t have to be a major undertaking, take a problem, write a solution. Keep a tight focus and make it short.  If people are rude, or overly critical, just delete their comments.  Don’t let the fear of trolls prevent you from writing. By writing up the solutions, you’ll make yourself more efficient. How is that? How many times have you ended up researching the same problem more than once? Yeah, we all have.  By writing up a post with the solution, you can now go back to your own write-up for the solution, instead of searching stackoverflow again.  Additionally, when you write it out, you begin to solidify the solution into long-term memory.

Target the keywords you used when researching the problem and use them in your post to make them easier to find later. In fact, if you do it right, the next time you search for the solution, your write-up might be the top match in your search! In addition, you’ll get the added benefit of increasing your own brand.  And when you increase your personal brand, by extension you increase your company’s brand. Win Win Win!

It was about this time that I came to realization that there weren’t going to be any security-related talks or presentations at WordCamp. Given WordPress’ history with security and the abundance of security issues surrounding WordPress, particularly in the area of plugins and themes, I was shocked that the confernce organizers had elected to not include at least one talk on security or how to secure your WordPress install.

I had people respond asking if I had missed the Let’s Encrypt presentation by Nancy Thank. Now, I had originally planned to go to it instead of Sal’s talk, thinking it was going to cover encrypting the database behind WordPress, or perhaps encrypting sensitive files.  Instead, it covered the Let’s Encrypt SSL initiative, and how to use it. Now don’t get me wrong, SSL is very important for protecting your credentials while logging in, and your session IDs while logged in, but unfortunately, many people mistakenly believe that having SSL on a site equates to having a secure site.  Nothing could be farther from the truth.  Great minds must think alike because Tony Perez wrote up a post about this exact topic.

Lunch with Caleb and Krystle
Lunch conversations with members of the Sucuri team

The discussion of the lack of security presentations and the SSL debate continued over lunch with the rest of the Sucuri team. We all agreed that more security-related education in the WordPress community is desperately needed.  After lunch, I went to A view from Google: The latest in Search and mobile by Maile Ohye.  Wow, so much incredible, useful information during this session. So much, that it’s too much to try and write out and instead I’m just going to do bullet points:

  • Globally, mobile queries have surpassed desktop
  • China and india has a huge population of people who are not online yet
  • 864 million users in India
  • English makes up 54% of the languages used on websites
  • Data connectivity is a significant portion of their [india] income
  • Voice recognition makes up 20% of queries now
  • 53% of visitors will abandon a mobile site if it doesn’t load within 3 seconds
  • Google has Search Lite in India and Indonesia, which has decreased load times ten fold
  • 60% of mobile data is 2G (!!!)
  • AMP is a constrained format, to keep things fast; Many predicting that in two years we’ll all be designing in AMP
  • If a mobile version exists, it will become the canonical version that is indexed [with google]
  • As of January 2017, Google will warn users about non-ssl sites that appear to be asking for passwords or credit card numbers

The Sucuri team "socializing"Like I said, so much good information in that session.  Last up for the regular sessions was Computational Design and Inclusion by John Maeda. He discussed how design can be used for inclusions or exclusion, and how the changing technology landscape needs to adjust to be eve more inclusive. I learned that pedestrian phone lanes are now a real thing in China and that 20% of Americans have some hearing loss, due to exposure to loud noises, illness, or aging.  You can count me in that 20% unfortunately.  And I worry that number is going to increase even more due to the prevalence of in-ear headphone use, especially among the younger generations.  But my biggest takeaway was

Hanging with the Sucuri team
Hanging with the Sucuri team for Mat’s State-of-the-Word address

Rounding out the conference was Matt Mullenweg‘s State-of-the-Word address. I didn’t take any notes as it was pretty crowded (no room for the surface), but luckily the staff at WordCamp US did a fantastic storify: WordCamp US 2016: State of the Word. Big takeaways for me were:

 

 

 

 

  • WordPress now makes up 27% of the entire web
  • WordPress foundation will help fund Black Girls Code in 2017
  • Only 11.45% of WordPress sites are using SSL
  • Everything associated with desktop usage is going down, everything associated with the mobile app and browser is going up
  • WordPress 4.7 now includes content endpoints in the REST API
  • There will be no set releases for core in 2017; design will lead the way, more user research
The Sucuri team goofing around
The Sucuri team. Wait, where’s Dre?

Once he was done he opened it up to Q&A of which I had been waiting for since he first addressed the crowd.  Hopped up and waited my turn (see the picture at the very top).  I first thanked him for supporting Black Girls Code. I then questioned him on why there were no security-related presentations, and what his plans are for educating the WordPress community on security (video available). He acknowledged that security is important and that the lack of presentations was an oversight.  I found the rest of his answer about educating the community to be lacking.  I fear that those of the community, those of us who are passionate about security are going to have to take up that mantle and educate our colleagues.

Dre
Oh, there’s Dre!

Last I want to thank Tony, Dre, Krystle, Renu, WarHammer, Val, Alycia and Kiko and the rest of the Sucuri team for letting me hang out with them.  We had some amazing discussions and I thoroughly enjoyed my time with all of you.  I sincerely hope our paths cross again.