3 Lessons from the TimThumb
WordPress Security Fiasco

Zero-day vulnerabilities are one of the biggest and most pervasive fears for any serious WordPress website owner.

It is frightening to think that you could go to bed one night with your site functioning properly and wake up to a site promoting Viagra, gambling, or … worse.

This is exactly what happened to site owners across the world about this time last year.

Mark Maunder, who ended up helping solve this particular problem, perfectly encapsulated the quick turnaround from “All systems go” to “All systems NO!”

Earlier today this blog was hacked. I found out because I loaded a page on my blog and my blog spoke to me. It said “Congratulations, you’re a winner.”

The vulnerability that struck Mark’s site — and so many others — was found in an image resizing library called TimThumb. Just how many sites were affected? Sucuri estimated “a couple of million.”

This was a widespread breach of epic proportions. It set the online world into panic mode. Even Matt Mullenweg got involved.

This vulnerability — which Sucuri deemed a “mass infection”, Mullenweg called a “saga”, and we are naming a “fiasco” for variety’s sake — was so pervasive that it cast a Scarlet Letter on this library and anyone who used it. In reality, the vulnerability was fairly narrow in scope.

This post is intended to “state the facts” about the TimThumb fiasco and to make sure the important lessons it taught us are not forgotten.

What Was The Problem?

Before we get into the lessons, here’s a quick explanation for exactly what TimThumb is and what, exactly, the vulnerability was.

TimThumb is a library used in websites to resize large images into usable thumbnails. It is widely used in WordPress themes. As of early August 2011, when the vulnerability was exploited en masse, Google showed over 39 million results for the script name.

Through version 1.09, TimThumb only operated on local files or files that you had stored on your website. In the 1.10 era, however, the creators added functionality to resize an image from a remote website.

For example, if you wanted to include a photo from Pinterest on your site but wanted to resize it, TimThumb 1.10 and beyond would do the trick. All you had to do was paste in the URL. A security mechanism used a “white list” to only allow access to files from perceived safe domains (e.g. Flickr). This is where the problem began.

The library used a checking mechanism that didn’t take into account that someone could add one of those “safe names” as a subdomain to their own site and trick the library. So, someone could create the subdomain flickr.com on their domain evil-site.com to create flickr.com.evil-site.com. This vulnerability made it easy for a hacker to feed the library a file from their evil site to somone else’s.

The catch, of course, was that the hacker’s site didn’t have pretty pictures, but instead housed nasty injection software that would begin the hacking process.

We described above what happened to Maudner’s website. His was one of many. To solve the issue, developers like Maudner, theme developers, and hosts across the web scrambled for patches and fixes.

Maudner came up with WordThumb, which patched the issue (and eventually was rolled into TimThumb 2.0.).

Theme developers who had used 1.10, rather than sticking with 1.09, had to update their frameworks.

And hosts had to get involved to perform blanket overwrites of the file across their infrastructure.

Lesson #1: TimThumb is Just the “Tip of the Iceberg”

As our friends at Sucuri pointed out, what happened with TimThumb is just the “tip of the iceberg” when it comes to scripts being added to WordPress themes and plugins without proper vetting.

Version 1.09 worked great, but not vetting the changes in 1.10, and their unintended consequences, left every site with that version of TimThumb on it, vulnerable. They use Uploadify as an example of a plugin built on TimThumb that was included in many of the vulnerable themes.

Sucuri also blamed both inexperience and laziness for the TimThumb issue. There is, in fact, already a built-in alternative for image resizing in WordPress, but it is often not leveraged correctly.

Plus, as Sucuri explained, though WordPress tries its best to be tightly controlled, with a great review and vetting process, it is an impossible task to check every release of every theme and plugin out in the marketplace. They provide five useful tips for minimizing risk related to TimThumb-like vulnerabilities.

Here is an additional tip, in the form of our second lesson:

Lesson #2: The Value of Premium Theme Frameworks

When the TimThumb fiasco exploded, Sucuri browsed the WordPress Theme Repository to catalog as many themes as possible that were vulnerable. Here is a partial list.

Some of these themes were actively managed and updated the script. Others were not. Either way, the onus was on you — the site owner — to make a quick change to code that you may or may not have been capable of making.

This is where using a premium WordPress theme framework is worth its virtual weight in gold.

  • Genesis, our preferred (and built a division of Copyblogger Media) framework here at Synthesis, does not use TimThumb and thus, did not expose its customers to the vulnerability. (But … sites using Genesis still could have been vulnerable if a deployed plugin used the script. That goes for any of these examples.)
  • Thesis wisely stuck with TimThumb version 1.09, declining to implement the version that supported remote files.
  • Woo Themes did use 1.10b and beyond, but they quickly patched it when word of the vulnerability broke.
  • Photocrati, a premium theme solution for photographers, also did not use TimThumb, thus sparing its customers from the issue.

Part of what you pay for when you purchase a premium theme framework is vigilance. If you were running a custom theme, you either had to change it yourself or pay your developer to help you. But when you buy a good premium theme framework, you’re paying the developers to stay on top of breaking issues like the TimThumb fiasco, and to roll out updates as soon as possible.

Or … to not roll out updates.

Lesson #3. The Value of Managed WordPress Hosting

Not only did the TimThumb fiasco illustrate the value of premium theme frameworks, it showed the value of managed WordPress hosting.

A good managed hosting provider will understand what vulnerabilities exist and be able to diagnose whether your site has an issue. An excellent hosting provider will proactively work with you and won’t throw your site out with the bath water just because — for instance — you use TimThumb.

It’s in our best interest to keep vulnerabilities like TimThumb as far away from each of our servers as possible. That’s why we steer our customers towards the Genesis design framework (and other premium theme frameworks); it’s why we’ve cultivated such a close relationship with Sucuri; and it’s why we’ll usually contact you about a security issue before you even realize there is one.

***

 

Ultimately, TimThumb provided quite a scare and sent many of the top WordPress developers and security experts scrambling for a fix. Only the most negligent of websites will still be vulnerable now. (You can use this scanner if you want double check your site.)

But TimThumb was a learning opportunity, and it reinforced the three lessons above.

Take them to heart. It will help you have peace of mind when the next fiasco like TimThumb inevitably rears its ugly head.

Comments

  1. I really enjoyed this article. I came looking to remove Timthumb though and would have liked to hear about how to remove it once and for all, or WHY it cannot be removed..which seems to be the case and I find really really strange. I had only briefly heard about the security flaw and actually just wanted it gone to lessen clutter since wp seems fully capable for what I need. Again though thanks for the great article and catching me up to speed, it’s great writing like this that makes me look forward to blogging my own content.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>