BlogVault vulnerability exposed tens of thousands of sites to hacking
BlogVault has 20,000 active installs of their free plugin on WordPress.org, and on their home page they boast 85,000+ sites in their network. Over the weekend, they disclosed a vulnerability in their plugin that exposed customers, and an unknown percentage of customer sites were hacked.
The vulnerability has been exploited in the wild, including at large hosts. BlogVault founder Akshat Choudhary said in the email that all BlogVault account emails have been reset, and that they are scanning every install and providing notice to all account-holders — affected or not.
It’s pretty much the worst possible thing from a PR perspective for a security plugin to be itself vulnerable. BlogVault was making headway in the market, and recently released a brand new dashboard that I found to be a dramatic improvement from what they showed me in a demo a little over a year ago.
The technology itself, I found to be incredibly slick, and it’s a shame to see this hack occur. It’s bad for customers and also bad for BlogVault themselves.
The email notification of the hack was more detailed than their blog post, but they also have a status page with more frequent updates of the steps they are taking.
Some sites were hacked, “for several days,” before the vulnerability was discovered and disclosed. Akshat insinuates in the blog post that some hosts are suspending the accounts of BlogVault users.
The email was sent on February 4th. The blog post with the disclosure was published February 6th. But the update to the plugin was made on February 2nd. So they knew about it for about two days, at least, prior to the disclosure, which is not good, considering it was a live hack.
Based on the diff I link above, it appears this vulnerability was quite bad — enabling a hacker to take over vulnerable sites completely, using an automated script. I haven’t confirmed that, but based on mine and a friend’s review, that seems to be what’s possible.
You should be notified if you have a BlogVault account that’s been affected. I got the general email, as a BlogVault account holder, but I have not gotten a separate notice about the specific site I used to test the service (not a site of consequence); presumably that means I’m in the clear, but I’m not 100% sure.
It’d be nice if the additional emails to unaffected customers were already underway. Considering it seems there was knowledge of this hack at least a day or two prior to notice, the rollout for notifying customers seems a bit laggard to me. However, the notice given was thankfully pretty thorough.
Despite the BlogVault team saying FTP credentials, credit cards, and WordPress admin credentials were not affected, I know that some hosts are resetting absolutely everything for affected sites, as well as working with customers get the sites cleaned up. BlogVault also says they will clean up all affected sites.
I’m still working on this story and will let you know if I learn anything new of consequence. In the meantime, if you are using BlogVault anywhere, you should make sure your sites have not been hacked, and take appropriate action.