Wordpress data leakage risk flagged by security researcher

Content management system flaw could affect thousands of websites and blogs, it is feared.

Data breach

Researchers have highlighted a flaw in the Wordpress content management system that could put millions of users at risk of data leakage.

According to a report by security firm Whitehat, the blogging platform may not completely protect media files uploaded to sites in the same way it safeguards text, which could potentially leave a listed company at risk of insider trading or a design firm to copyright theft.

Advertisement - Article continues below

The problem is that because the timing between the media and the blog post isn't identical, you can end up in a race condition with the content.

WhiteHat Security technical evangelist Robert Hansen said the flaw is down to how Wordpress assigns URLs.

This could make it easy for attackers to guess which files and attachments are for postings that have not gone live or been approved, it is feared.

"The problem is that because the timing between the media and the blog post isn't identical, you can end up in a race condition with the content," said Hansen.

"For instance, let's say you run a publicly traded company and you are about to release your earnings report on your blog. You may upload a PDF of the earnings report a day or multiple days in advance to make sure everything is perfect and ready to go when you announce."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

An attacker might be able to guess the URL for the PDF of this earnings report and download it potentially days in advance, he added. "This would allow them to trade in advance of your company's earning reports.

Despite this, he claimed the flaw's severity is low, and apart from data leakage, it could not be used to mount attacks such as code injection or cross-site scripting.

Earlier this year, IT Pro reported that hackers were using brute force against thousands of Wordpress sites' administration accounts in order to compromise sites and spread malicious material.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/cloud/355098/ibm-dedicates-supercomputing-power-to-coronavirus-researchers
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020