The sharing feature of the Jetpack plugin for WordPress is currently being exploited for the purpose of sending spam and possibly for DDOS attacks. FOSS Force became aware of this after we began looking into emails being sent to us by our server’s security system, notifying us of massive amounts of email being sent from our server. An investigation by our IT people traced the problem to the “Sharing” function of the Jetpack plugin.
Jetpack is a collection of plugins rolled into a single plugin and contains functions that are essential for many websites. The plugin, maintained by WordPress, contains functions that were included with the free websites hosted on WordPress.com but were unavailable for stand alone users of the platform until Jetpack’s release about five years ago. The “Sharing” function places social bookmarks at the end of posts and pages, which allows a site’s visitors to share an article or post with social networking sites such as Reddit, Facebook or Twitter.
Included is the ability to share an artice with a friend via email and it’s evidently the email sharing that’s being exploited by spammers. A required field when notifying a friend via the email function is the sender’s name. At present, there is no maximum length for this field, which allows spammers to input email content into the field before sending. This problem came to the attention of the plugin’s developers at least two days ago, after the issue was brought up on the WordPress forums. As this is a WordPress maintained plugin, we expect that we will see an update to the plugin within the next few days addressing this issue.
Until the problem is fixed, we recommend all WordPress sites using the Jetpack Sharing function to deactivate email sharing.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
As a publication advocating for free and open source software, I’m sure you understand the difference between a company and an open source project. Jetpack is a plugin run by WordPress.com, which is owned by Automattic, Inc. WordPress is an open source project with its trademarks owned by the WordPress Foundation. While many individuals that work for Automattic volunteer lots of time for WordPress, the open source project, it is not owned by Automattic or WordPress.com.
Ordinarily I wouldn’t make a big deal out of it, but you seem to be stating that WordPress the open source project manages Jetpack, which isn’t the case.
On to the actual issue at hand —
I concur with your conclusion, if you don’t want users to be able to send emails through your site, it would likely be wise to disable that functionality.
We’re currently evaluating the best resolution to the situation, and would be happy to discuss any suggestions on an issue that I’ve just created on our GitHub project page — https://github.com/Automattic/jetpack/issues/448
Comments are closed.