Wordpress.org plugins hacked, Dropbox lets its passwords down

Posted by Pierre Jean Duvivier on Wed, 06/22/2011 - 23:03 in Blogposts, guardian.co.uk, Hacking, PHP, Technology

Charles Arthur est l'auteur de ce post que vous pouvez integralement retrouver ici : article original

Problems at Wordpress could mean malicious plugins - while Dropbox admits it failed to enforce passwords for logins for four hours on Tuesday

From the Wordpress.org (that is, the code development site, not the blog hosting site, which is Wordpress.com):

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

We're still investigating what happened, but as a prophylactic measure we've decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you'll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)

They also offer standard good advice:

As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.

Second, if you use AddThis, WPtouch, or W3 Total Cache and there's a possibility you could have updated in the past day, make sure to visit your updates page and upgrade each to the latest version.

Wordpress has had similar problems in the past, including an occasion when a fake "new" version was rolled out with a backdoor in it.

Meanwhile Dropbox, the digital locker service, has had to face the fact that it broke its own authentication system for four hours on Tuesday - which meant that anyone could log in to anyone else's account. Dropbox says that it thinks only 1% of people logged into accounts in that time, though of course it doesn't know if they were the ones who were meant to log in to them.

Many people might say "no harm done - all that's happened is that someone might stick some files in your Dropbox." Yes, or read them. Or, as someone suggested, stick a malware-infected file in. It's a bad lapse for Dropbox. There's enough hacking going on as it is without this.



guardian.co.uk © Guardian News & Media Limited 2011 | Use of this content is subject to our Terms & Conditions | More Feeds





Printemps des blogueurs : Marine Le Pen est-t-elle la candidate des anonymous ?
Lundi 2 avril 2012, Débat avec Marine Le Pen sur les enjeux du numérique
Politique et Business des jeux d'argent
L'UMP déclare la guerre aux Français vivant en Suisse
Marie-Françoise D'ANGLEMONT de TASSIGNY, candidate pour le parti radical, " les Français ont besoin d’un discours de vérité"
Pierre Jean Duvivier dit Sage, candidat indépendant aux législatives 2012 en Suisse, "un pays se construit sur la confiance."
Nicole Castioni, candidate PS aux législatives 2012 en Suisse, "je veux casser l'image d'une diaspora fiscale..."
Huffington Post Français : des erreurs et du réalisme.
Claudine SCHMID, candidate UMP aux prochaines législatives en Suisse : 'Il faut penser aux prochaines générations'
9 questions aux candidats de la 6éme circonscription suisse pour les français de l'Etranger
Les Français de Suisse voteront aux prochaines législatives 2012 Françaises mais pour qui ?
Peugeot fait son show entre Kinect et 3D
Beebble préfigure les jeux de social gaming à venir
Les lunettes BIO OPTIK : les geeks peuvent maintenant (mieux) dormir...
Investir dans les stratégies automatiques sur le Forex
Larousse lance 'le jeu du dictionnaire larousse' sur iPAD
Table ronde à Hec Genève sur 'la net génération dans l'entreprise en mutation'
By 2014: Augmented Reality will be on every Smartphone
La presse traditionnelle est déja morte
Les media historiques français sont malades de leurs marques.
Gagnez de l'argent en dormant
Les savoirs du web : 12 professionnels de haut niveau parlent du web
Les Etats-Unis s'apprêtent à interdire la vente et l'achat de métaux précieux pour les particuliers
Les groupes de presse perdent la bataille technologique
Attention, faux mail de GMAIL vous demandant vos accés !