Recently, a developer exposed a very serious “security incident” on his blog. A developer’s client sent him a call for help because after the customer purchased and installed the WordPress theme for the site, it was running very slowly and could not find the cause. Then the developer digs deep into the root cause of the problem, and the results are surprising.
Pipdig is one of the largest WordPress theme developers, but its the “pipdig Power Pack” plugin that recently has been found to be rogue software.
Also read: Cyber threat Defense Report 2019 : The Year of Threat Intelligence Powered by Machine Learning
The developer mentioned in the opening article, after researching the source code of the pipdig Power Pack plugin, found the following behaviors:
- is using other blogger’s servers to perform a DDoS on a competitor
- is manipulating blogger’s content to change links to competitor WordPress migration services to point to the pipdig site
- is harvesting data from blogger’s sites without permission, directly contravening various parts of the GDPR
- is using the harvested data to, amongst other things, gain access to blogger’s sites by changing admin passwords
- contains a ‘kill switch’ which drops all database tables
- deliberately disables other plugins that pipdig has decided are unnecessary, without asking permission
- hides admin notices and meta boxes from WordPress core and other plugins from the dashboard, which could contain vital information
Turner claimed she’d found that, among other things, Pipdig’s plugins fired off traffic to a stranger’s website: thus, web servers hosting the P3 PHP code would routinely send HTTP GET requests to a rival’s site – kotrynabassdesign.com – thus flooding it with connections from all over the world, it was claimed.
The P3 tools also, it was alleged, manipulated links in customers’ pages to direct visitors away from certain websites, collected data from customer sites, could change admin passwords, disabled other plugins, and implemented a remotely activated kill-switch mechanism allowing Pipdig to drop all database tables on a customer’s site. Again, this is according to an analysis of the P3 source code.
At the same time, Wordfence, a security vendor specializing in services for WordPress sites, says it fielded a similar complaint about the P3 code from one of its users, and also found the same subroutines Turner described.