Why does BruteProtect allow bruteprotect to remotely enumerate a site's plugins?

  • Hi,

    I’ve used BruteProtect on a few sites – it’s been very useful – and was reading the code because I wanted to suggest an action to be called (if not already) when a site is blocked; allowing me to pick up the information and pass it to the firewall.

    When doing so, I learnt that:
    – When a site gets its API key, it also receives back a key from the ‘mothership’ (https://api.bruteprotect.com)

    – The mothership can then call back, via a URL of this form, using the key that it knows, in order to enumerate the site’s plugins:

    https://example.com/wp-login.php?bruteprotect_checkin=<key&gt;

    The output, supplied via bruteprotect/uptime_securewatch.php, is then a JSON-encoded list of the site’s plugins (all plugins – not just BruteProtect), and their versions, together with an indicator of whether or not the site has a user named ‘admin’:

    $plugins = get_site_option('active_plugins');
                $t = plugin_dir_path(__FILE__);

                $t = preg_replace('/'. preg_quote('bruteprotect/', '/') . '$/', '', $t);

        if(is_array($plugins)) :  foreach($plugins as $pfile) :
                $pf = $t.$pfile;
                $pl['shortname'] = trim(plugin_dir_path($pfile), '/');
                $p = get_plugin_data($pf);
                $pl['name'] = $p['Name'];
                $pl['version'] = $p['Version'];
                $pls[] = $pl;
        endforeach; endif;
        $o['version'] = get_bloginfo('version');
        $o['plugins'] = $pls;
        if(username_exists('admin')) { $o['has_admin_user'] = 1; }
        echo json_encode($o);

    On the face of it, this appears to be a backdoor, and a breach of the www.ads-software.com guidelines (https://www.ads-software.com/plugins/about/guidelines/ – point 7, unauthorized collection of user data). I can detect no reason in the plugin’s code or design as to why it needs to provide BruteProtect HQ with special access to, at any time, enumerate my site’s plugins or usernames.

    What this looks like very much shakes my confidence in BruteProtect, and I’d really like to hear an explanation of firstly why BruteProtect HQ needed this backdoor, and secondly why it’s nowhere mentioned in the documentation?

    Many thanks,
    David

    https://www.ads-software.com/extend/plugins/bruteprotect/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor Sam Hotchkiss

    (@samhotchkiss)

    Hi David– I certainly do apologize, this was not intended to make it out into our live code yet, and I’ve released an update removing it.

    We didn’t want to let the cat out of the bag quite yet, but we are working on a service where we can proactively notify you when one of your plugins has been flagged as having a serious security issue (to help distinguish between minor plugin updates and major security fixes)– at this point, we have built the functionality to allow our server (and ours alone– there is a second key which is known only to your site and ours) to get back your plugin name/version, WordPress version, and whether or not you have a user named “admin”, so that we can provide feedback to help you make your site more secure.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    Remember to make that service Opt In ??

    Thread Starter David Anderson / Team Updraft

    (@davidanderson)

    Hi Sam,

    Thanks – it is reassuring to know that the code was for a purpose and not just a back-door!

    Any chance of adding an action call in brute_kill_login() ?

    e.g.
    do_action(‘brute_kill_login’, $_SERVER[‘REMOTE_ADDR’]);

    That would give other code an opportunity to log the IP somewhere else too – e.g. get the information up to the firewall so that it can be blocked before it uses up any more resources on other sites.

    David

    Plugin Contributor Sam Hotchkiss

    (@samhotchkiss)

    Hey David– no problem, sorry for any confusion!

    We can definitely add a hook in– I’m on vacation this week, so I’m running from the boat to dinner, but I’ll get it in as soon as I have a few!

    Best,
    Sam

    Plugin Contributor Sam Hotchkiss

    (@samhotchkiss)

    Hey David– this hook (along with brute_log_failed_attempt) has been added into 0.9.8.3, which will be released on Monday.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Why does BruteProtect allow bruteprotect to remotely enumerate a site's plugins?’ is closed to new replies.