That Time I Brought Down Millions of WordPress Sites

Posted by  on November 21st 2016 02:15 am

I'm going to take you guys back to a time when I was doing some client work.

I was at the time working on becoming a somebody in the WP Dev community. I attached myself to a really awesome designer George Wiscombe, and started working on a theme he designed called Handgloves. I began by widgetizing it (which was just starting to catch on -- that probably dates me a little) then added a couple of built in social media hooks. I emailed him and told him I was working on it, and he released my changes, and because he is an AWESOME dude, gave me a byline on it.

We (Humankind) had a client that wanted a WordPress Multi-User (yep, before multi-site -- dating myself yet again) installation for their interior design network, with an asset catalog that lived under the main root, but all the designers' sites as sub-domains. We ran into a little problem, Handgloves used TimThumb, and TimThumb's wordpress implementation at the time had a small problem. It was hard-coded to use only the local uploads folder by prepending the website URL to the uploads directory, then appending the image name.

I decided to do a quick fix for this, and post it up on my old personal blog. I allowed you to pass either the image name or a full URL with schema. If a full URL was passed, it would download the image locally into your uploads folder.

Problem Solved! (Or So I thought)

I posted my change up to Binary Moon, linking back to my personal blog, with a small caveat - "I haven't tested this, and there are probably gaping holes in it."

Within a week, my blog was seeing a few hundred hits per day all for TimThumb, and that was awesome. I think my change was eventually merged into the main TimThumb library, since my traffic died down after a few months (I don't know that for a fact).

The client had eventually decided that in order to preserve backlink juice, the site shouldn't have sub-domains, but live under sub-folders, and I forgot about TimThumb for the time being.

Many Months (or a Year?) Later

That gaping hole that I warned might be in my super shitty code... Well, there it was. Millions of sites had been affected.

The exploit used my cross-domain TimThumb (which had already been patched by that time, but who actually downloads new versions of PHP scripts?) to download php scripts from other websites and thanks to my addition to the code, would store them locally in the uploads directory.

So a hacker would find a website using TimThumb, then make the request to grab their remote PHP script. Once TimThumb downloaded and stored the script, the hacker would then execute their PHP script and would then own the site. Having an up-to-date WordPress, TimThumb or basic permission settings on the uploads folder would have prevented every one of the attacks, but that is the nature of the internet. No one ever patches their servers, and random people who download a script, never sign up for notifications of new versions or anything.

Many millions of websites were effected by this, and once Google found the exploit, they started blocking most sites that could be hijacked like this from search results and from the Chrome browser.

And that was how I brought down millions of websites.

get $100 in credits for FREE when you sign up for digital ocean


Copyright © Jeremy A Boyd 2015-
Built with SimpleMVC.js • Design from StartBoostrap.com