Comments on: wordpress.org Cracked, Exploit in 2.1.1 Release /articles/wordpress-org-cracked-exploit-in-2-1-1-release/ Software Engineer and Consultant Sat, 29 Oct 2016 01:51:01 +0000 hourly 1 By: Juergen Kreileder /articles/wordpress-org-cracked-exploit-in-2-1-1-release/comment-page-1/#comment-51902 Sat, 03 Mar 2007 23:20:51 +0000 http://blog.blackdown.de/2007/03/03/wordpressorg-cracked-exploit-in-211-release/#comment-51902 Even if only 5% (that estimate probably is too high) would check the signature, a compromised download wouldn’t go undetected for more than three days!

And you’re right, downloading a untrusted key and a signed file at the same time is a bad idea! The key used for signing downloads has to be integrated into trust management, ie. it has be signed by well-known and trusted people.

]]> By: David Precious /articles/wordpress-org-cracked-exploit-in-2-1-1-release/comment-page-1/#comment-51900 Sat, 03 Mar 2007 22:22:31 +0000 http://blog.blackdown.de/2007/03/03/wordpressorg-cracked-exploit-in-211-release/#comment-51900 Signing releases with a PGP key would be a good idea, but of course 95% of the people installing WordPress probably wouldn’t understand how to verify a PGP signature, or would be too lazy to do it.

Even if they do validate it, unless they get the public key from a trusted source that the cracker can’t alter (e.g. from a keyserver) then it still doesn’t add a massive amount of safety. If the key was hosted on the site hosting the download, a cracker could just create a new key and sign their alterered code with that instead.

]]>