UpdraftPlus, a backup plug-in for WordPress, has issued an urgent security patch for its product. Researcher Marc-Alexandre Montpas of Automattic first discovered the vulnerability during an audit of UpdraftPlus. Montpas reported the vulnerability on February 15. It was patched within two days.
Montpas discovered that anyone with an active account on a WordPress installation could download site backups. It didn’t require the user to have any special privilege. Even the most basic of accounts, such as customer, would be sufficient for the first part of this attack.
The second part, finding and downloading the backup, might not be so easy, according to UpdraftPlus. In its blog, it wrote, “Affected sites are at risk of data loss / data theft via the attacker accessing a copy of your site’s backup, if your site contains anything non-public. I say “technically skilled”, because at that point, no public proof of how to leverage this exploit has been made. At this point in time, it relies upon a hacker reverse-engineering the changes in the latest UpdraftPlus release to work it out.”
The blog goes on to say, “However, you should certainly not rely upon this taking long, but should update immediately. If you are the only user on your WordPress site, or if all your users are trusted, then you are not vulnerable, but we still recommend updating in any case.” That statement, “if all your users are trusted” is strange. Insider attackers are on the rise. Just because you have created an account for a user does not mean it cannot be misused or even compromised.
Always encrypt your backups
There is a bright spot for Updraft Premium customers who encrypt their database. The company writes: “Users who are using UpdraftPlus Premium’s feature for encrypting your database backup are protected against data loss/theft from this problem, assuming that you have kept your encryption password secret. (There is no known vulnerability allowing the attacker to also access this).”
Additionally, even if your data is stolen, the company notes that “The WordPress database, following modern security standards, hashes stored passwords. This means that your WordPress login password is protected even from someone who has obtained even an unencrypted copy of it.”
Enterprise Times: What does this mean?
UpdraftPlus has shown that it is possible to receive a security alert and act quickly if you want. It should be praised for its actions because too many software companies take weeks, if not months, to address vulnerabilities.
It also has many of its customers set to automatic updates of its software. That ensured that it could minimise any risk to its user base. It also shows the advantage of automatic updates and why they should be used more often. Despite this, UpdraftPlus users should still check to make sure that the updates have taken place and, if not, apply them immediately.
However, it also shows how easy it is for a simple coding error to result in a serious security risk. In this case, the problem was a missed check to determine if the user had the right to download the backup. Thankfully, it seems to have been caught before any proof-of-concept code was written or released.