The problem with plugins
A plugin is a small software module that either adds to or improves a website’s functionality. There exist plugins that display social network widgets, harvest statistics, and create surveys and other types of content, to name just a few.
If you connect a plugin to your website’s engine, it runs automatically and bothers you only if an error occurs in its operation — that is, if somebody notices the error. Therein lurks the danger of such modules: If the creator abandons their plugin or sells it to another developer, you will likely not notice a thing.
Leaky plugins
Plugins that have not been updated for years are likely to contain unpatched vulnerabilities that could be exploited to take control of a website or download onto it a keylogger, cryptocurrency miner, or whatever the cybercriminals fancy.
Even when updates are available, website owners often overlook them, and vulnerable modules can remain active years after support for them is withdrawn.
Sometimes plugin creators patch vulnerabilities, but for whatever reason the patches are not automatically installed. For example, in some cases module authors simply forget to change the version number in the update. As a result, clients who relied on automatic updating instead of checking for updates manually were left with outdated plugins.
Plugin substitution
Some website content management platforms block the download of modules that are no longer supported. However, it is not possible for a developer or platform to delete vulnerable plugins from users’ websites; that could cause disruption or worse.
What’s more, abandoned plugins might be stored not on the platform itself, but on publicly available services. When the creator discontinues support or deletes a module, your website continues to access the container in which it was located. But cybercriminals can easily capture or clone this abandoned container, and force the resource to download malware instead of the plugin.
That is precisely what happened with the New Share Counts tweet counter, hosted in Amazon S3 cloud storage. When support for the plugin was withdrawn, the developer posted a message to that effect on its website, but more than 800 clients did not read it.
A while later, the plugin writer closed the container on Amazon S3, and cybercriminals pounced. They created storage with the exact same name and placed inside it a malicious script. Websites still using the plugin began to load the new code, which redirected users to a phishing resource promising a prize for taking a survey, instead of the tweet counter.
Change of owner, users unaware
Instead of abandoning their creations, developers sometimes sell them — and they’re not all picky about the buyer, which means that a cybercriminal can quite easily acquire a module. In such cases, the next update might well deliver malware to your website.
Detecting such plugins is a very difficult task, often a matter of pure chance.
Keep track of plugins on your site
As you can see, there are numerous ways to infect a website through the plugins installed on it, and not all can be successfully countered by the host platform. Therefore, we recommend that you independently monitor the security of plugins on your website.
- Compile a list of plugins used on your resources, together with their storage information, and regularly check and update it.
- Read notices from developers of third-party software you use and websites through which it is distributed.
- Keep plugins up-to-date at all times; if they are no longer supported, replace them as soon as possible.
- If for some reason one of your company’s websites is no longer needed and you discontinue supporting it, do not forget to delete its contents, including all plugins. Otherwise, it is just a matter of time before vulnerabilities sneak in that cybercriminals could use to compromise your company.
- Employees working with publicly accessible websites should be trained to handle modern cyberthreats — for example, with the help of our ASAP platform.