JetPack XSS Security Issue – What We Did to Protect You

jetpack
On October 1st, a security issue in JetPack, one of the most commonly used WordPress plugins, was disclosed by our partners from Sucuri. The vulnerability was severe because an attacker could exploit the contact form feature of the plugin to insert and execute JavaScript code as an admin of your site. Needless to say, that could lead to all sort of problems - injecting black SEO links, adding backdoors for full access to your account, accessing private information, etc. In this recap post, we would like to summarise what we did to protect SiteGround users with this plugin installed.

Added a Rule in Our WAF to Prevent Exploiting the Vulnerability

Our security team acted immediately on the day the vulnerability was announced and added a special rule to block hacking attempts trying to utilise this exploit in our web application firewall. Basically, we started blocking all requests that match a pattern crafted by our security team. Of course, before applying this firewall rule, we did enough testing to make sure that no real requests to our customers' sites will be blocked, just the malicious ones. However, doing this does not fix the core of the problem, but simply prevents attacks that try to gain unauthorised access to our customers' sites through this security hole.

Updated the JetPack plugins of our clients

After the disclosure of the vulnerability, the Automattic team that developed JetPack has released an update for the plugin. Since we do not like leaving security holes unresolved, we notified all our clients using Jetpack that their plugins would be updated. And just a few days after the disclosure, we had updated 95% of all outdated JetPack plugins on our shared servers. About 5% of the attempted upgrades were unsuccessful, in which case we offered additional assistance to the affected owners.

Product Development - Technical

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

5 Comments

  1. Reply October 13, 2015 / 04:02 Erik JolingSiteGround Team

    I wasn't affected because i don't use Jetpack, but I like the way Siteground is proactively trying to protect our websites. Thanks!

  2. Reply November 10, 2015 / 01:43 DarkoSiteGround Team

    SiteGround. On top of it all - as always 🙂

  3. Reply November 10, 2015 / 06:28 tomSiteGround Team

    Keep up the great work. As always. Thank you!!

  4. Reply November 10, 2015 / 10:00 Freyja W.SiteGround Team

    Wonderful - thank you! When anyone asks me I say use Siteground of course. The best!

  5. Reply November 30, 2015 / 08:26 Hristo PandjarovSiteGround Team

    Always doing our best to protect our customers without interfering with their data!

Reply to Freyja W. Cancel

* (Required)