Hackers can force iOS and macOS browsers to divulge passwords and much more

iLeakage is practical and requires minimal resources. A patch isn’t (yet) available.

Researchers have devised an attack that forces Apple’s Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices.

iLeakage, as the academic researchers have named the attack, is practical and requires minimal resources to carry out. It does, however, require extensive reverse-engineering of Apple hardware and significant expertise in exploiting a class of vulnerability known as a side channel, which leaks secrets based on clues left in electromagnetic emanations, data caches, or other manifestations of a targeted system. The side channel in this case is speculative execution, a performance enhancement feature found in modern CPUs that has formed the basis of a widecorpus of attacks in recent years. The nearly endless stream of exploit variants has left chip makers—primarily Intel and, to a lesser extent, AMD—scrambling to devise mitigations.

Exploiting WebKit on Apple silicon

The researchers implement iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to surreptitiously open a separate website of the attacker’s choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox—when a target is logged in—and a password as it’s being autofilled by a credential manager. (In an email sent five days after this post went live, a Google representative pointed out the obvious: the leakage is the result of the side-channel and WebKit behavior and Gmail is simply a hypothetical downstream target. There are no indications iLeakage has been exploited in the wild.)

Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.

“We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” the researchers wrote on an informational website. “In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.”

Top: Google’s accounts page autofilled by password manager, where the password is googlepassword. Bottom: Leaked page data with credentials highlighted.
Enlarge / Top: Google’s accounts page autofilled by password manager, where the password is googlepassword. Bottom: Leaked page data with credentials highlighted.kim, et al.

While iLeakage works against Macs only when running Safari, iPhones and iPads can be attacked when running any browser because they’re all based on Apple’s WebKit browser engine. An Apple representative said iLeakage advances the company’s understanding and that the company is aware of the vulnerability and plans to address it in an upcoming software release. There is no CVE designation to track the vulnerability.

Unique WebKit attributes are one crucial ingredient in the attack. The design of A-series and M-series silicon—the first generation of Apple-designed CPUs for iOS and macOS devices respectively—is the other. Both chips contain defenses meant to protect against speculative execution attacks. Weaknesses in the way those protections are implemented ultimately allowed iLeakage to prevail over them.

Source and more details: Hackers can force iOS and macOS browsers to divulge passwords and much more | Ars Technica

Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft

Threat hunters have discovered a rogue WordPress plugin that’s capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.

The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.

“As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy,” security researcher Ben Martin said. “In this case, comments claim the code to be ‘WordPress Cache Addons.'”

Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site.

Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it’s automatically enabled and conceals its presence from the admin panel.

“Since the only way to remove any of the mu-plugins is by manually removing the file the malware goes out of its way to prevent this,” Martin explained. “The malware accomplishes this by unregistering callback functions for hooks that plugins like this normally use.”

The fraudulent also comes with an option to create and hide an administrator user account from the legitimate website admin to avoid raising red flags and have sustained access to the target for extended periods of time.

The ultimate objective of the campaign is to inject credit card stealing malware in the checkout pages and exfiltrate the information to an actor-controlled domain.

“Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they’ve needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess,” Martin said.

The disclosure arrives weeks after the WordPress security community warned of a phishing campaign that warns users of an unrelated security flaw and tricks them into installing a plugin under the guise of a patch. The plugin, for its part, creates an admin user and deploys a web shell for persistent remote access.

Sucuri said that the threat actors behind the campaign are leveraging the “RESERVED” status associated with a CVE identifier, which happens when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details are yet to be filled.

Source and more details: https://thehackernews.com/2023/12/rogue-wordpress-plugin-exposes-e.html

Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting

On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting (XSS) via Shortcode vulnerabilities in WordPress repository plugins. This type of vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using plugin shortcodes, which will execute whenever a victim accesses the injected page. We found over 100 vulnerabilities across 100 plugins which affect over 6 million sites. You can find the complete chart of affected plugins below.

All Wordfence users, including those still using the free version of the plugin, are protected by the Wordfence firewall’s built-in Cross-Site Scripting protection against any exploits targeting this type of vulnerability.

Why are these vulnerabilities so common?

By a general definition, shortcodes are unique macro codes added by plugin developers to dynamically and automatically generate content. Developers can use shortcode attributes to optionally add settings, making the content even more dynamic and providing more options for users.

It is important to note that shortcodes are typically used in the post content on WordPress sites, and the post content input is sanitized before being saved to the database, which is a WordPress core functionality, so it is often sanitized in all cases.

Developers might assume that since WordPress core sanitizes post content, the attributes used in shortcodes are also sanitized and secure. However, the wp_kses_post() sanitization function only sanitizes complete HTML elements.

These vulnerabilities occur when the value provided in the shortcode attribute is output in dynamically generated content within the attributes of an HTML element. In such cases, the value specified in the shortcode contains only HTML element attributes, which are not sanitized during the save of a post. As mentioned earlier, the sanitize function only sanitizes complete HTML tags.

An example shortcode containing an HTML tag sanitized by the wp_kses_post() function:
[custom_link class="<p onmouseover='alert(/XSS/)'>Click Here!</p>"]
In this case, wp_kses_post() checks and sanitizes the entire <p> tag and its attributes.

An example shortcode not sanitized by the wp_kses_post() function:
[cutsom_link class="' onmouseover='alert(/XSS/)'"]
As there is no HTML tag in this case, the wp_kses_post() function does not check or sanitize anything.

Note: The above explanation demonstrates the usage of cross-site scripting within HTML attributes as it is the most common scenario, but the same problem applies to JS variable values, which will be equally vulnerable if not properly escaped.

Even the WordPress security handbook says the following about escaping output:

“Most WordPress functions properly prepare the data for output, and additional escaping is not needed.”

After reading this, developers might reasonably assume that the shortcode attributes are sanitized and secure. However, as demonstrated in the above example, there are exceptions.

See the full list of affected plugins as well as more technical details at https://www.wordfence.com/blog/2023/12/over-100-wordpress-repository-plugins-affected-by-shortcode-based-stored-cross-site-scripting/

Stored XSS Fixed In Popup Builder 4.2.3

During an analysis of the Popup Builder plugin, WP Scan discovered a pretty serious Stored XSS vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site.

When successfully exploited, this vulnerability may let attackers perform any action the logged-in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users.

Upon identifying the vulnerability, we promptly alerted the authors of that plugin, who released version 4.2.3 to fix the issue. It is crucial for administrators of sites using this plugin to ensure it is fully updated to safeguard against this vulnerability.

Original report: https://a8cteam5105.wordpress.com/vulnerability/941a9aa7-f4b2-474a-84d9-9a74c99079e2/

Fix announcement and more details: https://a8cteam5105.wordpress.com/blog/stored-xss-fixed-in-popup-builder-4-2-3

Critical Unauthenticated Remote Code Execution Found in Backup Migration Plugin

On December 5th, 2023 Wordfence received a submission for a PHP Code Injection vulnerability in Backup Migration, a WordPress plugin with over 90,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use this plugin.

Wordfence quickly released a firewall rule to paid Wordfence customers on December 6, 2023. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 5, 2024.

They contacted the BackupBliss team, makers of the Backup Migration plugin, on the same day they released the firewall rule. After providing full disclosure details, the team released a patch just hours later. Kudos to the BackupBliss team for an incredibly swift response and patch.

We urge users to update their sites with the latest patched version of Backup Migration, which is version 1.3.8 at the time of this writing, immediately.

Source and more details: https://www.wordfence.com/blog/2023/12/critical-unauthenticated-remote-code-execution-found-in-backup-migration-plugin/

See also: https://www.bleepingcomputer.com/news/security/50k-wordpress-sites-exposed-to-rce-attacks-by-critical-bug-in-backup-plugin/

PSA: High Severity File Upload Vulnerability in Elementor Patched

On December 6, 2023, the Wordfence team noticed a changelog entry for version 3.18.1 of Elementor, a WordPress plugin installed on nearly 9 million sites. We did not discover the original vulnerability and only became aware of it after reviewing the changelog containing a partial patch. Wordfence immediately released a firewall rule to paid Wordfence customers. The firewall rule will be made available to free Wordfence users 30 days later, on January 5, 2023.

After reviewing the vulnerability further, Wordfence determined that the patch was insufficient and could still be exploited, though it would be more difficult.

Wordfence immediately contacted the Elementor team the same day, on December 6, 2023, to let them know that the patch failed to fully resolve the issue. Elementor released a sufficient patch in version 3.18.2 on December 8, 2023. We commend the team at Elementor in their swift response to this situation.

Fortunately, the vulnerability, while severe, requires Contributor-level privileges or higher to exploit, which minimizes the number of sites likely to be impacted. Few sites use Contributors, and attackers would need to be able to register as a contributor or higher user, or obtain valid credentials for a contributor-level+ user account to exploit this vulnerability.

Source and more details: https://www.wordfence.com/blog/2023/12/psa-high-severity-file-upload-vulnerability-in-elementor-patched/

PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2

WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site.

We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present.

Source and more details: https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remote-code-execution-patched-in-wordpress-6-4-2

Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution

On November 24, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Unauthenticated Arbitrary File Upload vulnerability in MW WP Form plugin, which is actively installed on more than 200,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server when the “Saving inquiry data in database” option in the form settings is enabled.

All Wordfence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Malicious File Upload protection.

Wordfence contacted the Web-Soudan Team on November 24, 2023, and received a response the same day. After providing full disclosure details, the developer released a patch on November 29, 2023. We would like to commend The Web-Soudan Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of MW WP Form, which is version 5.0.2 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/12/update-asap-critical-unauthenticated-arbitrary-file-upload-in-mw-wp-form-allows-malicious-code-execution