Tag Archives: Security/Privacy

Quick Status Update

Just found out today that CloudFlare DNS took a dump on my website, making it inaccessible for a week or two. This has happened before, last time it was caused by the Wordfence plugin for WordPress.

The DNS problem has been fixed.

UPDATE: turns out this issue may have been caused by 1and1 web hosting DNS failure or changes on their end. My subdomains broke too, which is not part of CloudFlare. I tried walking the 1and1 tech support guy through my problem, but he was very slow so I had to end the call and ask for a follow up from him once he finds the issue. I never received the follow up, so I just went into the 1and1 control panel, re-created all my subdomains, then everything was fixed. I still don’t get why even the CloudFlare page cache was failing to serve a cached version of my website though…I thought that was the whole point of using CloudFlare – to mitigate DNS issues and site downtime? Really scratching my head over this ordeal.

UPDATE 2: 1and1 got back to me and said a glitch in their system is what caused my sub-domains to stop working. They also informed their engineers of the problem and wanted me to know how important it is for them to answer my questions as quickly as possible. Although the support was slower than I would expect for a business package subscriber and I had to take matters into my own hands, I’m not too worried about this event and will be staying with 1and1 for the near future.

WP-OAuth Is Not Vulnerable to SpoofedMe Social Login Exploit

The SpoofedMe social login exploit is a known weakness of the OAuth2 “spec”. The OAuth2 spec doesn’t define strict implementation standards, so developers have free reign to come up with some pretty wild implementations, or hack together a few libraries until it works. And that’s where the problem lies. There is no standard. Furthermore, social login is something that is normally built on top of OAuth2, and there’s no standard for that either. Some folks are trying to standardize social login with OpenID Connect (I like to think of this as “OAuth2-Strict”), but until then we will be facing issues like SpoofedMe because developers are not gods.

The SpoofedMe exploit is actually similar to this one, from a Google security advisory earlier this year:

“An attacker could forge an OpenID request that doesn’t ask for the user’s email address, and then insert an unsigned email address into the IDPs response. If the attacker relays this response to a website that doesn’t notice that this attribute is unsigned, the website may be tricked into logging the attacker in to any local account.” –Link

Thankfully, I read the spec and decided not to implement this gaping security hole in WP-OAuth to begin with. Properly identifying users to perform the account match was one of the biggest design challenges that I encountered because not only were there numerous docs and specs to work through, there were a lot of existing implementations that did it wrong. I had to start from scratch.

A Major Google Analytics Problem is Brewing with Referer Spam (Semalt, buttons for website, 7makemoneyonline, darodar), and They’re Doing Nothing About It (TM)

I’ve noticed the same problem that others have been experiencing with Google Analytics lately – an influx of botnet referer spam from domains semalt.combuttons-for-website.com, darodar.com and 7makemoneyonline.com (the list continues to grow), making their way to the top of your “Top Referrals” list. This traffic is throwing off analytics and may have long term SERP implications. From the sound of it, most users are either having a difficult time filtering (excluding) the domains and traffic through Google Analytics, and/or resorting to blocking the domains via their .htaccess file.

This is a public service announcement.

DO NOT USE THE
SEMALT OPT-OUT FORM!!!

Instead, offer them a clue about what orifice they can stuff that form in.

While I’m not the best SEO guy around, I’d have to say this looks like a traffic stealing campaign where somehow, they are using an opt-out form to phish/harvest backlinks and/or SERP rankings from your domain, or upsell you on better analytics software.

Furthermore, it seems that users are being scammed by what I would call social engineering agents who work for Semalt and lurk on public forums to point users towards an opt-out form run by them, effectively phishing users through Google Analytics. You might say that Google Analytics has been compromised. And what better way for Semalt to sell their own analytics software than to game their largest competitor’s software and lure users away from it? Semalt is literally using Google Analytics for free clicks and advertising, completely bypassing Google’s own pay-per-click advertising model. Instead of the phishing scam hitting your email inbox, it’s hitting your analytics report.

Some of the referer URLs contain my own Google Analytics ID. For example – forum.topicXXXXXXX.darodar.com – where XXX is your Google Analytics ID. I’d say they are using a script to iterate through all Google Analytics ID’s starting with 0000000, effectively generating traffic and analytics records for every site on the web that uses Google Analytics. But that’s not all, once you visit that referer URL with your Google Analytics ID in it, you’ve just told the spammers that your Google Analytics account is alive and well. It’s probably the same thing Semalt is doing with their opt-out form.

In doing so, these spammers would have the ability to sway traffic one way or another throughout the entire Google Analytics ecosystem without wasting botnet resources on inactive or retired Google Analytics accounts.

Shouldn’t Google be upset about that? This is not just a new type of spam or black hat SEO, it is a new type of marketing warfare or analytics malware. Continue reading

WP-OAuth Screenshot Preview

While I’m working on the next version of WP-OAuth – a free social login plugin for WordPress – I thought I’d drop this screenshot preview of some upcoming features.

There will be some new settings, such as having the ability to automatically logout inactive users, suppress the welcome email during registration, or assign a user role during registration (even in Multisite, which removes this option). We also have a bug fix for cloud-based hosting providers such as Heroku, courtesy of our first open-source contributor, larsschenk.

But aside from that, I’ve included provider icons for the login buttons and you’ll be able to change the icon size, choose from different icon sets, or easily design/include your own icons. This leads us towards new layouts, all of which are configurable via the settings page or shortcode attributes:

Links-Column layout, styling handled by the theme:

login-form-layout1a

Buttons-Column layout:

login-form-layout2c

Buttons-Row layout, no prefix or name:

login-form-layout3a

Buttons-Row layout, no prefix, name or padding:

login-form-layout3b

Settings page overhaul (again), now includes a shortcode designer and fully responsive/fluid layout for mobile devices:

settings page

Settings page responsive/fluid layout for mobile devices: Continue reading

8 Social Login Plugins for WordPress Compared

wordpress-logo-simplified-rgbI’m doing a survey of 8 popular social login plugins for WordPress, including WordPress Social Login, Social Login, Social, LoginRadius, Users Ultra, WP-OAuth and Social Connect.

Whether you’re interested in a free light-weight plugin, a premium (paid) plugin, or a subscription-based plugin whose experts will custom tailor their solution to your needs, then you’ve come to the right spot.

The following is a table of results, as of this writing in November, 2014. Some of the info required investigation of the plugin’s source code.

WordPress Social Login Social Login Social LoginRadius Users Ultra WP-OAuth Janrain Social Login Social Connect
PLUGIN OVERVIEW
Developer: Miled Claude Schlesser / OneAll Alex King / Crowd Favorite / MailChimp LoginRadius Users Ultra Perry Butler Byron / Janrain Rodrigo Primo
Rating: 4.1 (135 reviews) 3.9 (235 reviews) 3.4 (108 reviews) 3.4 (113 reviews) 4.8 (129 reviews) 5.0 (2 reviews) 3.5 (78 reviews) 4.2 (110 reviews)
Requires WP version: 3.0+ 3.0+ 3.8+ 3.4+ 3.0.1+ 4.0+ 3.5+ 3.0+
Total number of downloads: 153,977 328,353 362,033 256,620 59,000 710 133,147 86,697
Number of downloads over 1 week: 2,216 (+1.4%) 1,677 (+0.5%) 4,227 (+1.2%) 2,354 (+0.9%) 3,132 (+5.3%) 207 (+34.3%) 47 (+0.03%) 232 (+0.26%)
Last updated: 9 days ago 29 days ago 331 days ago 20 days ago Today Today 90 days ago 68 days ago
Cost: Free Freemium or $8-$158 monthly Free Freemium or $150-$450 monthly Freemium or $50-$160 yearly Free Freemium or $10-$2,250 monthly Free
PLUGIN FEATURES AND LIMITATIONS
Social login included with free version: Yes Yes Yes No No Yes Yes Yes
Number of providers: 25+ 25+ 2 25+ 5  8 30+ 5
White label / unbranded: Yes Requires paid plan Yes Requires paid plan Yes Yes Requires paid plan Yes
Login / registration limits: No >2,500 users requires paid plan No No No No >2,500 users requires paid plan No
Site / domain usage limits: No No No No Paid plans allow usage on 1 site or unlimited sites No No No
Creates (registers) new WordPress user accounts automatically: Yes Yes Yes Yes Yes (Paid plan) Yes Yes Yes
Link third-party providers to WordPress user accounts: Yes Yes No Yes Yes (Paid plan) Yes Yes No
Works with existing user accounts: Yes Yes No Yes Yes Yes Yes Yes
Provides login widgets or shortcodes: Yes Yes No Yes Yes (Paid plan) Yes No Yes
Import friends, contacts, etc. from third-party providers: Yes No No No Yes (Paid plan) No Yes No
Social commenting: No No Yes Yes No No No No
Social sharing: No Yes Yes Yes No No Yes No
Includes login and registration tracking / stats: No No No No Yes (Paid plan) No No No
Customize where users are redirected after login/logout: No Yes No Yes Yes Yes No No
Compatible with WordPress Multisite: Yes (Paid plan)
Compatible with BuddyPress: Yes
Compatible with bbPress: Yes
Compatible with Theme My Login:
PLUGIN TECHNOLOGY AND SECURITY
Authentication method: OAuth OAuth OAuth OAuth OAuth, OpenID OAuth, OpenID Connect OAuth OAuth, OpenID
Users are authenticated through a proxy, middleman, single integration point or online service that sits between the WordPress site and the third-party providers: No Yes, OneAll Yes, MailChimp Yes, LoginRadius No No Yes, Janrain Engage No
Identifies authenticated users via their permanent unique user identifier: Yes, with email address No, identifies via email address No, identifies via username No, identifies via email address Yes, with email address Yes Yes No, identifies via email address
Requests and/or stores private or sensitive user info from the third-party: Yes, the user’s email address Yes, the user’s email address, avatar, full name, etc. Yes, the user’s username Yes, the user’s email address Yes, the user’s email address No No Yes, the user’s email address
An open-source library included with the plugin handles authentication: Yes, HybridAuth No No Yes, LoginRadius PHP SDK Yes, Google API PHP Client, LightOpenID, Twitter OAuth, etc. No No Yes, Facebook PHP SDK, LightOpenID
Uses an outdated or deprecated technology / library: No No No No Yes, LightOpenID No No Yes, LightOpenID
Calls third-party provider APIs that are secured with SSL via insecure (non-SSL) URLs: No No No No No No No Yes
Educates users/admins about good security practices when using the plugin: No No No No No Yes No No
Includes one or more settings related to security: No Yes No No No Yes No No
Warns admins when configuration changes may affect security: No Yes N/A N/A N/A Yes N/A N/A
Installs with and defaults to a secure configuration: No Yes N/A N/A N/A Yes N/A N/A
Mentions SSL / HTTPS at all: No Yes No Yes No Yes No No
Recommends the WordPress site to use an SSL certificate: No No No No No No No No
Requires the WordPress site to use an SSL certificate: No No No No No No No No
SSL features are enabled by default: No Yes N/A N/A N/A Yes N/A N/A
Performs SSL host verification: No No N/A No No Yes Yes No
Performs SSL peer verification: No No N/A No No Yes No No
Performance overhead – tested with P3 Performance Profiler (lower is better): 84%, 0.0362 sec 52%, 0.0107 sec 77%, 0.0354 sec 89%, 0.0705 sec 95%, 0.1087 sec 51%, 0.0114 sec 89%, 0.048 sec 77%, 0.0212 sec

Continue reading

WP-OAuth – Enhances Your WordPress Login and Registration

oauth-2-smWP-OAuth is a WordPress plugin that I developed which allows users to login or register by authenticating with an existing Google, Facebook, LinkedIn, Github, Reddit or Windows Live account via OAuth 2.0.

Install it from the Plugins page in your WordPress backend. Just search “WP-OAuth”.

More information and support available at the WordPress Plugins Directory, or you may contribute via the open-source Github development repository.

Don’t Fear the July 9th Internet Doomsday, Take Action Now!

On July 9th, 2012 the FBI will shut down a group of servers operated by a cyber crime ring who they’ve recently dismantled. These rogue criminals have jointly infected over 500,000 computer systems in the United States alone with variants of the “TDSS Alureon” malware. This malware redirects your computer’s internet traffic to servers that are run by those criminals, where they tailor your web browsing experience by injecting their own (risky and sometimes dangerous) search results, advertisements, products and services, hoping you’ll give them your money in one way or another.

Continue reading

Why Carrier IQ’s “Cell Phone Spying Rootkit Software” is a Bad Thing Contrary to Expert Analysis

One statement that is constantly thrown out there to make Carrier IQ’s software seem legitimate is this:

“Three of the main complaints we hear from mobile device users are (1) dropped calls, (2) poor customer service, and (3) having to constantly recharge the device. Our software allows Operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery. When a user calls to complain about a problem, our software helps Operators’ customer service more quickly identify the specific issue with the phone.”

If it sounds useful to you, that’s because it is! Every device should have self check and correction mechanisms in place. We have these in software programming, they’re called error handlers. In other applications, we may just have to log some data to visualize trends over time for an accurate diagnosis of existing problems or potential points of optimization.

My problem is not whether Carrier IQ may be “snooping” on people. As with any communications/telephony issue, these are the real security implications that I can see: Continue reading