WpBook is a WordPress plugin by John Eckman who is the CEO of 10up. WPbook has had over 162,000 downloads and helps people connect to Facebook. When we tested WPBook version 3.7 we found a security hole in less then a minute, but before we get to the security hole you need to understand how this plugin works. The plugin let’s you connect to Facebook by adding in your own facebook app. In order to do this you are supposed to have access to the admin panel and can then only enter a FaceBook app to connect too, so how could anything go wrong if you need to be logged in to see it? Unfortunately, the plugin had no protection to keep intruders from editing the backend where you update the FaceBook app connection, secret key, etc. Most people wouldn’t realize what type of harm could be done by being able to change this information, except disconnecting the site from FaceBook. Oh well, the owner would have to come in and fix it later. Unfortunately, that isn’t all you can do. You can also add in your own app that you have control of to any remote site that you shouldn’t have access too. Now your app is hooked into their site. There are plenty of issues one could do with this exploit.
It is important to note that this vulnerability can only be exploited if a user clicks a link, comment, views a malicious image, etc that changes the facebook connection information.
Is WPBook still vulnerable to this exploit?
Thankfully when we contacted Mr. Eckman he pushed a fix the next day patching the issue for anyone who updated to WPBook 3.7.1 and was very nice to give us credit in the changelog. Will this vulnerability be exploited? Our theory is that every vulnerability is already known by someone, so it was most likely exploited before we found it. We are happy one security hole was fixed in WPBook, however we aren’t saying it has no security holes. In reality, everything has security holes some are just more exotic then others.
How do I fix the WPBook security hole?
To fix this particular security hole you need to update to WPBook 3.7.1 right away.
Our customers would’ve known about this issue, even the ones who pay for a $20 scan and would’ve been able to evaluate the risk before it was made public.
The post WPBook 3.7 WordPress Plugin CSRF To Malicious Facebook app appeared first on WP Security Bloggers.