A former employee of WP MultiLingual’s (WPML) claimed he exploited vulnerabilities over the weekend. The ex-employee sent out mass emails to WPML’s customers informing them of security holes in the plugin. WPML however, denied this and instead stated the employee gained access to the company’s server. WPML believed the ex-employee left a backdoor, later used to access the database and server. The only evidential data compromised was emails, but, the breach may have involved others. The potential number of customers affected could be as many as 600,000.
WPML is a popular computer software plugin WordPress customers use to help translate languages on websites. Customers can choose from a range of languages and it covers translations of documents and web pages. On the day of the attack, the website did not display this information. Instead, the defaced site showed contents of the email sent by the ex-employee to customers.
WPML’s Security Around Data
In a similar Dutch case, e-commerce companies hired a contractor to develop a series of sites. In the process, he placed a website backdoor into his code and used it to extract customer data. The ex-employee went on to use it for making fraudulent online purchases. What was interesting, as articled by researcher Christopher Burgess, was the weak controls the company had around access rights and authentication procedures. With this case in mind, unanswered questions remain about WPML. As an ex-employee, did access to databases holding customers’ data get revoked as soon as the staff member left? Were scans and security updates carried out or carried out frequently enough to identify the malicious code? Did WPML revoke admin rights, if given?
The WPML have since updated their site and rebuilt the code. Extra security measures implemented included multi-factor authentication. WPML reassure customers all patches are in place and that the rebuilding of servers is taking place. WPML is also seeking legal action.