JetPack XSS Security Issue - What We Did to Protect You
Added a Rule in Our WAF to Prevent Exploiting the Vulnerability
Our security team acted immediately on the day the vulnerability was announced and added a special rule to block hacking attempts trying to utilise this exploit in our web application firewall. Basically, we started blocking all requests that match a pattern crafted by our security team. Of course, before applying this firewall rule, we did enough testing to make sure that no real requests to our customers’ sites will be blocked, just the malicious ones. However, doing this does not fix the core of the problem, but simply prevents attacks that try to gain unauthorised access to our customers’ sites through this security hole.
Updated the JetPack plugins of our clients
After the disclosure of the vulnerability, the Automattic team that developed JetPack has released an update for the plugin. Since we do not like leaving security holes unresolved, we notified all our clients using Jetpack that their plugins would be updated. And just a few days after the disclosure, we had updated 95% of all outdated JetPack plugins on our shared servers. About 5% of the attempted upgrades were unsuccessful, in which case we offered additional assistance to the affected owners.