Comments on: Malicious WordPress plugin steals your admin password, and you didn’t even know ? http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/ Things of interest to the average internet savvy guy. Wed, 17 Mar 2010 03:54:41 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: gheo http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-16183 gheo Fri, 21 Aug 2009 21:30:53 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-16183 great one,and well doen.keep up great one,and well doen.keep up

]]> By: teratips http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14814 teratips Sun, 12 Jul 2009 18:20:49 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14814 its best but also its naughty tool its best but also its naughty tool

]]> By: Tech @ InkAPoint http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14786 Tech @ InkAPoint Fri, 10 Jul 2009 20:23:35 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14786 You are right Mani. Sometimes plugins will work like upward compatible versions. But what's the problem is not all plugins are working as 100% compatible to newer versions of WP. We can't say that plugins will not work if it is developed for earlier versions of wp. You are right Mani. Sometimes plugins will work like upward compatible versions. But what’s the problem is not all plugins are working as 100% compatible to newer versions of WP.

We can’t say that plugins will not work if it is developed for earlier versions of wp.

]]> By: Tech @ InkAPoint http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14785 Tech @ InkAPoint Fri, 10 Jul 2009 20:20:34 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14785 Yes. You can. Just open the plugin's zip file and see the php files. Yes. You can. Just open the plugin’s zip file and see the php files.

]]> By: marcelomuraro (marcelo muraro) http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14735 marcelomuraro (marcelo muraro) Thu, 09 Jul 2009 22:48:26 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14735 Malicious WordPress plugin steals your admin password, and you didn’t even know? http://tinyurl.com/machfl Malicious WordPress plugin steals your admin password, and you didn’t even know? http://tinyurl.com/machfl

]]> By: Sarah Lewis http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14718 Sarah Lewis Thu, 09 Jul 2009 18:04:38 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14718 @Nihar: until Sven's post, that particular plugin <em>was</em> in the WordPress directory. However, I think the title of this post is (unintentionally) misleading. If you read Sven's post again, you'll see that the plugin did <em>not</em> do anything with the WordPress admin password, only some basic SMS request data (that included the username and password for the SMS service, but nothing as sensitive as the WordPress admin password). Don't get me wrong; it's still a security issue. After all, the plugin was doing something without the user's permission. But I'm pretty sure that your admin password is actually very safe, even from malicious plugin authors, because it is not stored clear text (even in the database). There's no way that I know of for a plugin to ever access the unencrypted version of the password. All that said, it is definitely best to be cautious with any plugins. I think your tips are good ones. Perhaps some enterprising security pro will start a plugin-review blog and do us all a favor. :) @Nihar: until Sven’s post, that particular plugin was in the WordPress directory.

However, I think the title of this post is (unintentionally) misleading. If you read Sven’s post again, you’ll see that the plugin did not do anything with the WordPress admin password, only some basic SMS request data (that included the username and password for the SMS service, but nothing as sensitive as the WordPress admin password).

Don’t get me wrong; it’s still a security issue. After all, the plugin was doing something without the user’s permission.

But I’m pretty sure that your admin password is actually very safe, even from malicious plugin authors, because it is not stored clear text (even in the database). There’s no way that I know of for a plugin to ever access the unencrypted version of the password.

All that said, it is definitely best to be cautious with any plugins. I think your tips are good ones. Perhaps some enterprising security pro will start a plugin-review blog and do us all a favor. :)

]]> By: Nihar http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14705 Nihar Thu, 09 Jul 2009 16:59:12 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14705 I think one should always use a plugin which is there on wordpress directory. DOn't use plugins from the the authors site. What do you think? I think one should always use a plugin which is there on wordpress directory.

DOn’t use plugins from the the authors site.

What do you think?

]]> By: Anish K.S http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14647 Anish K.S Thu, 09 Jul 2009 01:51:17 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14647 Thanks mani for the advise. Thanks mani for the advise.

]]> By: Kurtis Taylor http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14640 Kurtis Taylor Wed, 08 Jul 2009 19:23:50 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14640 I would have thought that Wordpress's approval process would be a little more careful about the kind of code placed in these plugins but I guess not. I would have thought that Wordpress’s approval process would be a little more careful about the kind of code placed in these plugins but I guess not.

]]> By: Mani Karthik http://www.dailybloggr.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14621 Mani Karthik Wed, 08 Jul 2009 16:45:19 +0000 http://www.dailyseoblog.com/2009/07/malicious-wordpress-plugin-steals-your-admin-password-and-you-didnt-even-know/#comment-14621 I completely agree Yael. In fact, I hadn't taken it seriously to this time. If the plugin works fine even after an upgrade, then I'd keep it. But I think this is a mistake I've been making and am seriously considering pulling them off with minimum user exp problems. I completely agree Yael. In fact, I hadn’t taken it seriously to this time. If the plugin works fine even after an upgrade, then I’d keep it. But I think this is a mistake I’ve been making and am seriously considering pulling them off with minimum user exp problems.

]]>