Something fascinating happened over the weekend. I spotted this post from my mate Jem. I’ve known Jem for years, and when it comes to all things web-development she’s probably one of the smartest people I know – I trust her. If you can’t be bothered to click on the links, or you like a brief version – she uncovered a massive security threat within a plugin created by a company called ‘pipdig’. Pipdig creates themes and plugins for WordPress blogs, they also host blogs too. My dealings with them are fairly limited, I’ve seen their themes a lot – I’m not a massive fan, they all just look a bit ‘Mummy Blogger’ to me.
The pipdig Power Pack plugin was found by Jem to be doing (or able to do) some of the following –
- Using other blogger’s servers to perform a DDoS on a competitor
- Harvesting data from blogger’s sites without permission, directly contravening various parts of the GDPR
- Using the harvested data to, amongst other things, gain access to blogger’s sites by changing admin passwords
- Contains a ‘kill switch’ which drops all database tables
I will spare you the code because I know most people reading it won’t actually understand it. Even with my limited PHP knowledge, I can see what Jem is saying is correct. The code is there for all to see (and was public on the pipdig code repo too!). Pipdig quickly rattled out a statement denying the wrong-doing and tried to justify their actions. The kill-switch isn’t a kill switch – nope – it’s a way of ‘factory-resetting’ a WordPress installation. There are much easier ways of resetting a WordPress site, rather than deleting EVERY SINGLE thing from the database. The DDoSing was brushed aside as a licence check, despite the code saying otherwise. In short, they denied pretty much every single thing put to them.
However – it seems that Jem wasn’t the only person investigating pipdig. WordPress security experts ‘Wordfence’ had found the issues too, they wrote this post about them, along with their evidence. Wordfence had actually gone to pipdig with their allegations, and very quickly after pipdig pushed out an update to the Power Pack plugin with the offending code removed. As well as this, they removed the files on their server that were used for the DDoS. Wordfence came knocking, and pipdig hid their evidence before the storm came. There was ‘nothing to see here’, but, sadly for pipdig, there was.
You see, when code is being developed – it’s often stored in a ‘repository’ (or repo). This allows developers to track changes in code and essentially create a ‘paper trail’ of everything. Over the weekend the pipdig repo was found – lots and lots of code was there for anyone to see. After it was discovered, and mentioned on Twitter pipdig set it to private, again, hiding the evidence. The beauty of online repos is that they can easily be cloned, and I believe several people took copies before it went out of public view. A few further discoveries were found in that code too. Just this afternoon their repo is back online, full of ‘clean’ code, and no version history of the dodgy stuff – which is, uhm… Well I’ll let you draw you own conclusions.
While the news was spreading more and more PHP Developers and IT Security experts stepped forward agreeing that the code in the pipdig plugin was at best irresponsible, and at worst, illegal. I’ve been watching the story unfold and haven’t seen one nerd step forward and offer an explanation defending the actions of pipdig. The general response has been “Yeeeeeeeeesh, that’s bad”.
Not everyone has been so quick to jump on pipdig. Many of their customers have defended their honour with aplomb. I’ve seen blue-ticked ‘influencers’ declaring that pipdig are safe, friendly, and these terrible accusations are unfounded. These testimonials have been flanked by smaller bloggers defending pipdig saying how great they are, how wonderful the themes are, and how nice people wouldn’t do anything like that. The general attitude has been either ‘well – I’ll wait it out and see what happens’ or ‘pipdig have changed the code, my site is now safe’ or ‘I like my theme, I don’t believe this, I’m sticking with them’.
I understand that the code is confusing to look at, and your average blogger wouldn’t understand it. Pipdig’s customer base will largely be folk who want to blog, but can’t be doing with the technical faff – they want a box to type in, a place to upload pictures, and for it all to look pretty. Pipdig do this well. There’s no denying it, they are a small company who have built up a BIG reputation and a loyal customer base. I think many brands would kill for such loyalty to their product. I don’t doubt that pipdig are wonderful people, who will work tirelessly to keep your blog up and running and their customers happy. Their customers have shown this over social media.
But.
The code is (or was) there as Jem and Wordfence described it. It was doing all the things they said. There is no denying it. It may be gone now from current versions – but it’s been there for a while.
These aren’t mistakes or accidents. Someone actually put all of it in the code and hid it there.
Why? Why would they do that?
An excellent question, and something that has been asked by pipdig fans lots over the weekend. Honestly – I don’t know. Why would they DDoS a competitor? Why would they want to be able to change the admin password? Why would they want to delete an entire blog with such ease?
Do they farm the development of their products elsewhere and these things have been placed in the code as an ‘insurance policy’ by the developer? Maybe?
Is this some code someone in their team was playing about with, and it somehow got left in a production build? Unlikely.. but not impossible.
Is there a rogue employee tucking this stuff away for shits and giggles? Maybe?
All these thoughts have flown around my head – because ultimately pipdig are a small company and for them to do something this dangerous is, well – just stupid. Denying it to the face of a growing chorus of Developers and Security Experts is even more stupid. But, humans are stupid – so – who knows? Pipdig updated their original statement yesterday, and like the first, it was a denial of pretty much everything – which was pretty bold. They said it was the last thing they’d say about it all, so those of their customers awaiting ‘further information’ before deciding what to do will feel a little short-changed.
I don’t imagine pipdig will do a 180 on this issue, and suddenly hold their hands up. I don’t imagine this story will go away, it happened over the weekend, so I imagine tech news sites will no doubt be drafting out stories about it very soon.
My personal opinion is, I trust Jem, I trust Wordfence, heck, I can read the code for myself (just!) – so something serious HAS happened. In my opinion, if you have a pipdig theme, sack it off, get one from WordPress, ThemeForest, MyThemeShop – even find a pretty free one while the storm is raging. I think this whole saga has demonstrated that so many bloggers don’t really know the nuts and bolts behind their blogs. It’s like owning a car and not knowing how to change a tyre, or check your oil. Sure, you can pay a person to do it for you, but who knows what else they might try and up-sell while you’re there?
I don’t think pipdig deserved to be ruined over this saga, I don’t think they are monsters.
I don’t think they’ve handled it well at all. There might be time to turn it around.. We’ll see.