Picture of Jürgen Kreileder

wordpress.org Cracked, Exploit in 2.1.1 Release

As pointed out on the WordPress development blog, a cracker gained access to the wordpress.org servers and replaced the 2.1.1 download with a modified exploitable version. The exploitable download may have been on the site for three or four days!

It may be a good idea for the developers to sign their releases with a well known and trusted PGP key. This would allow people to verify that downloaded files are really what they should be!
This is a well-established practice used by other projects, for example by the Linux kernel.

This article Jürgen Kreileder is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.


Stay in touch with the conversation, subscribe to the RSS feed for comments on this post. Both comments and pings are currently closed.

Signing releases with a PGP key would be a good idea, but of course 95% of the people installing WordPress probably wouldn’t understand how to verify a PGP signature, or would be too lazy to do it.

Even if they do validate it, unless they get the public key from a trusted source that the cracker can’t alter (e.g. from a keyserver) then it still doesn’t add a massive amount of safety. If the key was hosted on the site hosting the download, a cracker could just create a new key and sign their alterered code with that instead.

Even if only 5% (that estimate probably is too high) would check the signature, a compromised download wouldn’t go undetected for more than three days!

And you’re right, downloading a untrusted key and a signed file at the same time is a bad idea! The key used for signing downloads has to be integrated into trust management, ie. it has be signed by well-known and trusted people.