WordPress 5.2 ensures auto-updates through signature verification

WordPress 5.2 ensures auto-updates through signature verification

The content management system (CMS) used by many websites WordPress distributes important updates since version 3.7 from 2013 fully automatically. A majority of CMS users use this feature, which is enabled by default if the hosting environment of the WordPress installation allows it – which is likely to happen in almost all new installations today.

Security advocates rate AutoPress updates as extremely positive, as they at least keep the core functionality of the software up-to-date with the latest security updates, without the user having to worry about it.

Read More Stories: Instagram will filter and alert against antivacuna content using artificial intelligence

However, the feature also poses a significant risk: if an attacker were able to take control of the WordPress servers, he would have been able to install malicious code using the feature in one fell swoop on millions of heavily visited websites. With the now released update to version 5.2, the developers put a stop to this scary attack scenario.

According to research, more than a third of the 10 million most visited websites on the net run on WordPress. Most of them will have automatic updates enabled. An attacker who gains control over the developers’ update servers could have taken control of millions of well-visited sites in one fell swoop.

Read More Stories: Deepdotweb: Darknet directory down, arrested operators

Such an attack scenario is not as far-fetched as one might think. Similarly, in 2017 hackers had caused huge damage to the European economy by distributing the NotPetya Trojan via the update servers of the Ukrainian control software MeDoc. And as early as 2016, the security company Wordfence had discovered a vulnerability in the update mechanism of the CMS and reported to the WordPress developers, which would have made an attack on WordPress possible.

Another security company called Paragon Initiative has been working for years to close this vulnerability in WordPress with the help of CMS developers. In a two-year bug report from the company in the WordPress bug tracker, it says: “At the moment, an attacker who compromises api.wordpress.org may release a fake WordPress update and gain access to all WordPress installations on the Internet It’s now two minutes to twelve (it was one minute to twelve, but then Wordfence security researchers found this vulnerability). ” Two years after the bug report by the Paragon Initiative, the WordPress developers have now implemented their original recommendation and the WordPress updates cryptographically secured.

Read More Stories: Hackers have managed to steal 40 million dollars in Bitcoin to Binance

From the current version 5.2 WordPress uses so-called Offline Digital Signatures to secure the auto-update packages. Every WordPress installation receives a public key with the update, with which it can check the digitally signed WordPress update files in the future.

The files are signed with a secret key that only the core developer team of WordPress has access to and that can not be found on the web servers of the project. This is to prevent attackers who gain access to the update servers from outside who can distribute their own code to WordPress users. Since they do not have the secret key of the developers, they can manipulate the update packages distributed from there with access to the API server.

Read More Stories: Apple study: App usage indicates cognitive decline

With the first update after version 5.2 WordPress will only issue a warning to the administrator of the installation (soft fail), if the signature of an update is not correct. From the following version updates without valid signatures will then no longer be installed (hard fail). Details on this process are described in the Paragon Initiative in a detailed blog entry on the subject, As a byproduct of the new feature for the core developers, plug-in developers can now use the crypto-library sodium_compat, which comes with WordPress 5.2 and builds on the cryptography API Sodium, which in turn is based on the NaCl library of the crypto expert Daniel J. Bernstein and Tanja Lange is based. Sodium has replaced the mcrypt library with current versions of PHP, which is still used by many WordPress plug-ins but abandoned by their original developers over ten years ago and is no longer being updated.

Read More Stories: REACT NATIVE: Microsoft switches to C++ for Javascript apps from C#

The new digital signatures for WordPress updates are not a groundbreaking invention and have been state of the art in other software systems for years. They also do not completely protect websites that use the CMS from attack by the developer’s server API. If their secret key were lost, an attacker could still orbit malicious update code.

Even such attacks have been observed in the past with other software. However, the new signatures are an important step in the right direction and significantly complicate attacks on users of by far the most popular Web CMS. They make it a lot harder to hijack a third of the most popular websites on the net at one go.

Read More Stories: Guido blames social media for his decision to abandon the supervision of Python

Previous articleInstagram will filter and alert against antivacuna content using artificial intelligence
Next articleOpera founder Vivaldi has integrated with Razer Chroma
Aakash Molpariya
Aakash started in Nov 2018 as a writer at Revyuh.com. Since joining, as writer, he is mainly responsible for Software, Science, programming, system administration and the Technology ecosystem, but due to his versatility he is used for everything possible. He writes about topics ranging from AI to hardware to games, stands in front of and behind the camera, creates creative product images and much more. He is a trained IT systems engineer and has studied computer science. By the way, he is enthusiastic about his own small projects in game development, hardware-handicraft, digital art, gaming and music. Email: aakash (at) revyuh (dot) com