Hacking & Security
More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat.
Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that's used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites.
"If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. "Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)."
[Cross-posted from the Chromium Blog]
Around this time each year we announce the rules, details and maximum cash amounts we’re putting up for our Pwnium competition. For the last few years we put a huge pile of cash on the table (last year it was e million) and gave researchers one day during CanSecWest to present their exploits. We’ve received some great entries over the years, but it’s time for something bigger.
Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers.
For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million*.
We’re making this change for a few reasons:
- Removing barriers to entry: At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them.
- Removing the incentive for bug hoarding: If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.
- Our researchers want this: On top of all of these reasons, we asked our handful of participants if they wanted an option to report all year. They did, so we’re delivering.
Logistically, we’ll be adding Pwnium-style bug chains on Chrome OS to the Chrome VRP. This will increase our top reward to $50,000, which will be on offer all year-round. Check out our FAQ for more information.
*Our lawyercats wouldn’t let me say “never-ending” or “infinity million” without adding that “this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.” Check out the reward eligibility requirements on the Chrome VRP page.
With tax season in full swing, it's time for the yearly reminder that the security practices of many tax-preparation services are lacking. Case in point: H&R Block's reported failure to confirm the e-mail addresses of at least some of its online account holders.
The lapse was reported to Ars by reader Aaron Johnson, who said H&R Block in recent days has e-mailed him the name, address, and security question of a complete stranger. Johnson said he is confident he has everything he needs to access this person's account, steal his most valuable personal data, and hijack any owed tax returns. We created an account at H&R Block and were not asked to authenticate the e-mail address we used.
The stranger happens to share Johnson's first and last name, and for reasons that aren't entirely clear, the alter ego occasionally uses Johnson's e-mail address when creating accounts. At no point, Johnson said, did he receive an e-mail from H&R Block requiring him to confirm that his e-mail address was connected to the other person's account.