Hacker News new | ask | show | jobs
by WorldWideWebb 600 days ago
How is this not a supply chain attack? Mattomatic literally took over a plugin that WPE owns/maintains by co-opting its plugin URL/slug. They renamed the plugin but took control over the URL that everyone’s plugin points to for updates. Literal MITM attack.
1 comments
benatkin 600 days ago
wordpress.org isn’t an intermediary, they’re the publisher, so they can’t be in the middle, and they can’t be MITM

Now, the owner of a package could do a supply chain attack (with a very short chain which is why I think the concept is overhyped), and it would be a supply chain attack, but it wouldn’t be a man in the middle attack. WordPress took over ownership of it but they haven’t published malicious to it. Back when WP Engine owned it they could have published a malicious update and it would be a supply chain attack but with a very short chain unless the user installed a project that depended on it and caused it to automatically be installed.

link
WorldWideWebb 600 days ago
Wordpress.org is not the publisher of that plugin - WPE is. Wordpress.org was just hosting it in their plugin directory, which is where just about the entire community goes to for plugins. I’d guess that because of this drama, more plugin publishers will choose to not publish theirs in the directory anymore.

https://www.advancedcustomfields.com

link
benatkin 600 days ago
I’ll use npm as an example. When someone not at npm runs npm publish, their npm client sends a request for their package to be published, which to me shows that the person isn’t the publisher because they aren’t requesting for themselves to publish the package. But I see how it might be confusing.
link
WorldWideWebb 600 days ago
npm is a good analogy to this, but I don’t see how either one would be considered the publisher. Those are indexes/directories/whatever-you-want-to-call-it of packages/WP plugins. Another example would be something like GitHub. If GitHub (Microsoft) decided to take over the repo URL of a rival’s repository, I don’t think there would be any ambiguity about who was in the wrong.

Anywho - I’m not looking to get into an argument with a random internet stranger so have a good one.

link
cutemonster 596 days ago
Agreed that it's not a MITM but for other reasons: Automattic didn't insert themselves in between two communication nodes. Instead, they replaced one node with themselves. No further communication between the original nodes to in-the-middle intercept.

Isn't it rather a flavor of Impersonation Attack?

And "fraud" is maybe an ok word too?

> wrongful or criminal deception intended to result in financial or personal gain

(says some dictionary)

link
drchaos 600 days ago
If npm or Ubuntu would deliberately replace a package with their own implementation, without giving you notice or making this opt-in, would you call that a supply-chain attack? I would, unless the original package contained malicious code (which is not the case with WPE's custom fields plugin)
link
benatkin 600 days ago
Ubuntu patches all the time. WordPress could have done exactly the same with patches! Good idea.

Sometimes a patch isn’t enough so there is something like SilverWolf. That’s kinda like ACF/SCF.

link
benatkin 600 days ago
That's LibreWolf.
link