DuckDuckGo Ups Ante: Gives $300K to 'Raise the Standard of Trust'
For the seventh year in a row, the search engine that promises not to stalk your online moves puts its money where its mouth is, this year by donating $300,000 to organizations that
System76 Saying Goodbye to Bland Design
Considering that System76 chose to unveil its new design plans to The Linux Gamer -- no invite went to FOSS Force, BTW -- we can't help but wonder if a System76 Steam Machine isn't in the works.

The Screening
The Great Debian Iceweasel/Icedove Saga Comes to an End
Now that Thunderbird is back in the Debian repositories, the decade long dispute that led to all Mozilla products in Debian being rebranded has ended.



The hatchet is finally completely
Back Yard Linux
It's not as lonely being a Linux user as it once was. These days you're liable to find people throughout your neighborhood using Linux.



My how times have changed.

It wasn't long ago that Linux
No, Evil Hackers Aren't After You
Humankind has outgrown the need to have monsters hiding under our beds. Now we let them hide in our phones, computers and microwave ovens.

Roblimo's Hideaway



OMG! I think I see a giant camera lens on
Should the U.S. Army Have Its Own Open Source License?
Should the U.S. armed forces begin releasing software under an OSI approved open source license rather than as public domain?

Roblimo's Hideaway



This question has generated many pixels'
GitHub CEO Chris Wanstrath on Open Source
Did you know that the software Stephen Hawking uses to speak is open source and that it's available on GitHub? Neither did we.

The Screening Room




At the Computer History museum, GitHub CEO Chris
March 26th, 2014

WordPress Jetpack Sharing Plugin Exploited by Spammers

The sharing feature of the Jetpack plugin for WordPress is currently being exploited for the purpose of sending spam and possibly for DDOS attacks. FOSS Force became aware of this after we began looking into emails being sent to us by our server’s security system, notifying us of massive amounts of email being sent from our server. An investigation by our IT people traced the problem to the “Sharing” function of the Jetpack plugin.

Jetpack is a collection of plugins rolled into a single plugin and contains functions that are essential for many websites. The plugin, maintained by WordPress, contains functions that were included with the free websites hosted on WordPress.com but were unavailable for stand alone users of the platform until Jetpack’s release about five years ago. The “Sharing” function places social bookmarks at the end of posts and pages, which allows a site’s visitors to share an article or post with social networking sites such as Reddit, Facebook or Twitter.

Included is the ability to share an artice with a friend via email and it’s evidently the email sharing that’s being exploited by spammers. A required field when notifying a friend via the email function is the sender’s name. At present, there is no maximum length for this field, which allows spammers to input email content into the field before sending. This problem came to the attention of the plugin’s developers at least two days ago, after the issue was brought up on the WordPress forums. As this is a WordPress maintained plugin, we expect that we will see an update to the plugin within the next few days addressing this issue.

Until the problem is fixed, we recommend all WordPress sites using the Jetpack Sharing function to deactivate email sharing.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

1 comment to WordPress Jetpack Sharing Plugin Exploited by Spammers

  • Howdy, Christine.

    As a publication advocating for free and open source software, I’m sure you understand the difference between a company and an open source project. Jetpack is a plugin run by WordPress.com, which is owned by Automattic, Inc. WordPress is an open source project with its trademarks owned by the WordPress Foundation. While many individuals that work for Automattic volunteer lots of time for WordPress, the open source project, it is not owned by Automattic or WordPress.com.

    Ordinarily I wouldn’t make a big deal out of it, but you seem to be stating that WordPress the open source project manages Jetpack, which isn’t the case.

    On to the actual issue at hand —

    I concur with your conclusion, if you don’t want users to be able to send emails through your site, it would likely be wise to disable that functionality.

    We’re currently evaluating the best resolution to the situation, and would be happy to discuss any suggestions on an issue that I’ve just created on our GitHub project page — https://github.com/Automattic/jetpack/issues/448