WordPress sites are hacked ‘within seconds’ after TLS certificates are issued


Adam Bannister May 06, 2022 at 13:36 UTC

Updated: May 06, 2022 13:43 UTC

Attackers pounce before site owners can activate setup wizard

Attackers abuse the Certificate Transparency (CT) system to compromise new WordPress sites in the usually short amount of time before the Content Management System (CMS) is configured and therefore secure.

CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate the identity of websites.

First implemented by certificate authority DigiCert in 2013, the standard requires certificate authorities to immediately log all newly issued certificates in public logs in the interest of transparency and rapid discovery of malicious or malicious certificates. misused.

DDoS attacks

However, there is growing evidence that malicious hackers are monitoring these logs to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.

Multiple testimonials have emerged detailing sites hacked within minutes – seconds, even – after TLS certificates were requested.

RELATED EU’s ‘dangerous’ web authentication scheme threatens to undermine browser-based certification system

Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites in a hurry to join DDoS attacks.

On a related thread on the support forum for Let’s Encrypt, a CA that issues free certificates and launched its own CT log in 2019, a Certbot engineer said the attacks “have been happening for a few years now.” .

Recognition techniques

Josh Aas, executive director of the Internet Security Research Group, which runs Let’s Encrypt, agrees with the engineer’s speculation about attacker recognition techniques.

“If the attacker queries the CT logs directly, he would see new certificate entries faster, giving him a larger window of time to launch the attack,” Aas said. The daily sip. Parsing crt.sh, a certificate search domain, “may also work, but propagating new certificates from CT takes longer.”

The attacks no doubt reflect shortcomings in the CT system, which Let’s Encrypt says has “led to many enhancements to the CA ecosystem and web security” and “is rapidly becoming critical infrastructure.”

Aas said all publicly trusted CAs are required to submit certificates to CT logs “without delay after issuance.”

An argument for automation

He suggested that the responsibility for protecting new WordPress sites ultimately lies with domain owners and hosts.

“Obtaining a certificate from Let’s Encrypt can make it easier to detect a new install, but no one should put WordPress installs on the public internet until they are secure. If a hosting provider or other entity done, please report it as a vulnerability in its deployment process.

Keep up to date with the latest WordPress security news

Josepha Haden, Executive Director of the WordPress Project at Automattic, said The daily sip that the attacks “only affect direct installs – if a site is on a recommended host, or if the install process is automated, there is usually a pre-configured configuration file, so the install process is finished/is not interactive and there is little chance for it to attack”.

In a recent blog post on the subject, Colorado-based web design firm White Fir Design suggested that WordPress could solve the problem by giving the domain owner “control of the website” upfront, “by example, adding a [template] case”.

On the Let’s Encrypt forum, Christopher Cook, developer of Let’s Encrypt Windows UI Certify the Web, suggested that WordPress “could randomize the installation URL and present it only to you in the console, or require a one-time token” .

Josepha Haden acknowledged that WordPress needed to “examine the problem. The Core team is aware and discussing the best changes as well as the best timing as we move forward with the rest of our releases for the remainder of the year,” she said.

RECOMMENDED Heroku resets user passwords after finding April cyberattack was deep


Comments are closed.