WordPress Password Fiasco

imageFair or not – “You don’t know what you don’t know” is a throwaway phrase, often used to describe a typical Internet users range of knowledge as it applies to security risks. What’s worrisome about relying on the truth of this statement is – it can be applied much more broadly – it doesn’t just apply to casual computer users. It applies equally to you – and, to me.

Virtually on a daily basis, another previously unknown (or, undisclosed), vulnerability in an application, operating system, website, cloud service, or in an Internet protocol is discovered by “security researchers”. Here’s today’s, from my Daily Net News column.

Improper SSL Implementations Leave Sites Wide Open to Attack – Security researchers are buzzing about the flaws in the Secure Sockets Layer system and the fact that a significant portion of the Internet is vulnerable to attack.

I’ll venture a guess and suggest – you didn’t know about this. Nor, did I. More to the point perhaps, what needs to be asked is – did cyber criminals know?

What about this one from two days ago?

 Kaspersky: 12 different vulnerabilities detected on every PC – Researchers from Kaspersky have sampled their customer base, and found out that on average, every PC has 12 different vulnerabilities.

The vulnerabilities described are not self inflicted – instead, they are specified, or unspecified, vulnerabilities in Flash, Adobe Reader, Java, and Adobe Shockwave. There’s no need to wonder if cyber criminals are aware of these vulnerabilities – they most assuredly are.

WordPress Password – I didn’t know, that I didn’t know.

More than once, I’ve made the point here, there are certain companies which put forward unrealistic assertions that their Web operations are inviolate – they can’t be hacked. One of those companies is WordPress.com.

So, I was hardly taken by surprise when I received the following email from WordPress, yesterday. Not surprised – but, pretty pissed at the approach taken by WordPress to describe a potentially devastating circumstance for WordPress bloggers who run popular sites.

Hello Bill Mullins,

We recently found and fixed a mistake that we’d like to tell you about. Passwords on WordPress.com are saved in a way that makes them extremely secure, such that even our own employees are unable to see your actual password – the one you enter to login to your WordPress.com account.

However, between July 2007 and April 2008, and September 2010 and July 2011, a mistake in one of our systems used to find and correct bugs on WordPress.com accidentally logged some users’ passwords in a less secure format during registration.

We’ve updated our systems to prevent passwords from being logged this way in the future, so this will not happen again. We don’t have any evidence that this data has been accessed maliciously or misused, but to be on the safe side we are resetting your password since your account is among those affected.

Please change your password using this link or copy and paste the URL below into your web browser:

https://wordpress.com/wp-login (I have removed certain parameters here)

If the password you used when you registered on WordPress.com was one you use elsewhere, you should change it there, too. In the future, remember that it’s good practice to always use unique passwords for different services.

We are terribly sorry about this mistake. No one likes having to create new passwords and we’d like to include a 15% off coupon to say we’re sorry. The coupon can be used for a custom domain, a design upgrade, VideoPress, or a storage space increase. Just use the code below on any of the upgrades on the WordPress.com Store:

pc21d064ae

If you have any questions, please reply to this email and one of our Happiness Engineers will get back to you as soon as possible.

Thank you,
The WordPress.com Team

Some salient points:

Why on earth would WordPress send an email that has all the hallmarks of a phishing scam – quote: “to be on the safe side we are resetting your password since your account is among those affected”. Huh – you’re going to reset my password? So there was zero chance of me clicking on the password reset link. The only secure method was a password reset from this blog’s Dashboard.

“A mistake in one of our systems” – At the desk I’m sitting at, I tend to call this type of “mistake” a vulnerability.

“In the future, remember that it’s good practice to always use unique passwords for different services.” Yeah, sure WordPress is just about the last organization I’d take advice from in terms of password control!

Offering a 15% discount on WordPress products “to say we’re sorry”, is ill advised and inappropriate. This “bad news” – “good news” approach, is out of bounds.

Finally, referring to support staff as “Happiness Engineers”, makes me wonder what these people smoke after breakfast. It’s a little late for ‘60s terminology, it seems to me.

I titled this article “WordPress Password Fiasco”, not because WordPress found itself in an unknown vulnerable position, which by extension applies to me as well – but because the manner in which a serious situation was handled, is appalling. At a minimum, WordPress has an obligation to disseminate news of this potential breach widely on the Internet. This is not business as usual.

Consider the number of serious breaches that occurred in the last year, which initially were classified by the victimized organization as inconsequential. Until, that is, information slowly leaked, that in many cases, the penetrations were disastrous. Think Sony.

I’m hopeful, that months from now, I won’t have to replace “Think Sony” with -“Think WordPress”. But, then again – “I don’t know what I don’t know”.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

10 Comments

Filed under Email, Internet Security Alerts, Opinion, Password Control, Point of View, Tech Net News, WordPress

10 responses to “WordPress Password Fiasco

  1. Bill,
    Excellent article that points out how lax WordPress’ security mentality actually is. This was a mistake that could happen anywhere, but something tells me, based on WordPress’ lax approach to security in the past, this is an indication of how the company refuses to take security best practices seriously. I believe that this attitude starts at the top of an organization and trickles down to the folks doing the work…and perhaps communicates to them that they can be less careful because the bosses don’t care that much. All in my humble opinion.
    Keep up the good work.
    Best,
    Paul

    • Hi Paul,

      Let me join my humble opinion to yours.

      One thing I didn’t cover in this article is this. Earlier this year, I accidentally inputted the wrong user name into this particular blog’s Dashboard. Despite that, once I’d entered the correct password I could access the account. I could do this successfully for more than a week before this illegal avenue was closed down. I was too fed-up to even write about it.

      Good to get your comment on this.

      Best,

      Bill

  2. I guess you could vote with your feet dear Bill

    It would surely pay you to do so…

    • Hi Michael,

      Yes, you’re right – I could. But, to what end. Last year for example, GoDaddy was attacked repeatedly with malicious code injected into the sites.

      The issue here is WordPress’ behaviour; which is similar to so many organizations laissez-faire attitude to security concerns. It isn’t a big deal – until it is.

      Best,

      Bill

  3. Hey Bill,
    This is just simply unbelievable (I’m shaking my head). I mean, is WP PR people this low? Anyway, I’ve encountered a rude WP employee too.
    poch

  4. Hi Bill,

    I received that email too, at first I thought it was just another phishing scam that’s gonna point me to a page where I have to enter all my login details. but somehow after reading this i think it was a legit email and I gonna change my password on my other wordpress blog.

  5. I don’t know firsthand, but I have a few blogger friends who are quite happy with Typepad. Not free, but I think it’s somewhere around $10/month.

    Cheers.