Matt Posted July 19, 2013 Report Posted July 19, 2013 A vulnerability in the way blogging platform WordPress manages uploaded media files could put users at risk of data leaks, say researchers.A report from security firm White Hat claims that the blogging service may not properly protect media files from prying eyes the same way it guards blog text.According to White Hat Security technical evangelist Robert Hansen, the flaw leaves users vulnerable because of the way Wordpress assigns URLs. The system, says Hansen, is easy enough to guess that an attacker could potentially root out media files and attachments meant for posts which have yet to go live or be approved.“The problem is that because the timing between the media and the blog post isn’t identical you can end up in a race condition with the content,” Hansen explained.“For instance, let’s say you run a publicly traded company and you are about to release your earnings report on your blog. You may upload a PDF of the earnings report a day or multiple days in advance to make sure everything is perfect and ready to go when you announce.”The company said that overall, the severity of the vulnerability is low. Aside from data leakage, there is no indication that the flaw could be leveraged for more severe attacks, such as account theft or code injection.Because the Wordpress platform is used to power millions of blogs, it has become a prime target for attackers looking to compromise sites and exploit web pages for use as embedded attack platforms or other malicious activity.Earlier this year, researchers uncovered a large-scale cybercrime operation which had managed to compromise thousands of WordPress accounts through dictionary-combing 'brute force' attacks that automate the process of guessing passwords.Sursa V3.co.uk Quote
