Open Source Adapted Bicycle Pedal Comes to the Rescue
Accessibility has always been important to designers of open source software. Now that open source has come to design, that's more true than ever, as demonstrated with this open source bicycle
Linux Action Show to End Eleven-Year Run at LFNW
Six more episodes before the popular Linux podcast, Linux Action Show, ends its nearly 11-year run in a live broadcast from LinuxFest Northwest.

Media



Jupiter Broadcasting's long-running
Dealing With Real-Life, Everyday Security Threats
No one has ever been shot by a hacker who was breaking into their computer through the Internet. Not so for thieves coming in through the back door.

Roblimo's Hideaway



I wrote a piece
Four Things a New Linux User Should Know
When you move from "that other operating system" to Linux, you're going to find that in most ways you'll be in familiar territory. However, that's not always the case. We sometimes do things a little differently
The Future of Desktop Ubuntu
With all the changes happening at Canonical, you might wonder what this means for the future of desktop Ubuntu, besides the return to the GNOME desktop.



There hasn't been this much news about a single Linux distro
Libreboot Reorganizes: Seeks to Make Amends
It appears the people developing Libreboot have done some of the hard work necessary to fix potentially toxic personal dynamics after last year's controversy, when the project removed itself from the
It's Windows Time in Linux Land Again
Using Windows. What a horrible thing to ask a Linux user to do.
March 26th, 2014

WordPress Jetpack Sharing Plugin Exploited by Spammers

The sharing feature of the Jetpack plugin for WordPress is currently being exploited for the purpose of sending spam and possibly for DDOS attacks. FOSS Force became aware of this after we began looking into emails being sent to us by our server’s security system, notifying us of massive amounts of email being sent from our server. An investigation by our IT people traced the problem to the “Sharing” function of the Jetpack plugin.

Jetpack is a collection of plugins rolled into a single plugin and contains functions that are essential for many websites. The plugin, maintained by WordPress, contains functions that were included with the free websites hosted on WordPress.com but were unavailable for stand alone users of the platform until Jetpack’s release about five years ago. The “Sharing” function places social bookmarks at the end of posts and pages, which allows a site’s visitors to share an article or post with social networking sites such as Reddit, Facebook or Twitter.

Included is the ability to share an artice with a friend via email and it’s evidently the email sharing that’s being exploited by spammers. A required field when notifying a friend via the email function is the sender’s name. At present, there is no maximum length for this field, which allows spammers to input email content into the field before sending. This problem came to the attention of the plugin’s developers at least two days ago, after the issue was brought up on the WordPress forums. As this is a WordPress maintained plugin, we expect that we will see an update to the plugin within the next few days addressing this issue.

Until the problem is fixed, we recommend all WordPress sites using the Jetpack Sharing function to deactivate email sharing.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Latest posts by Christine Hall (see all)

1 comment to WordPress Jetpack Sharing Plugin Exploited by Spammers

  • Howdy, Christine.

    As a publication advocating for free and open source software, I’m sure you understand the difference between a company and an open source project. Jetpack is a plugin run by WordPress.com, which is owned by Automattic, Inc. WordPress is an open source project with its trademarks owned by the WordPress Foundation. While many individuals that work for Automattic volunteer lots of time for WordPress, the open source project, it is not owned by Automattic or WordPress.com.

    Ordinarily I wouldn’t make a big deal out of it, but you seem to be stating that WordPress the open source project manages Jetpack, which isn’t the case.

    On to the actual issue at hand —

    I concur with your conclusion, if you don’t want users to be able to send emails through your site, it would likely be wise to disable that functionality.

    We’re currently evaluating the best resolution to the situation, and would be happy to discuss any suggestions on an issue that I’ve just created on our GitHub project page — https://github.com/Automattic/jetpack/issues/448