A widely used plugin for a popular WordPress site builder installed an anti-piracy script that essentially unpublishes all posts. WordPress developers are livid, with some calling the script malware, a backdoor, and a violation of the law.
BricksUltimate plugin for Bricks Builder
Bricks Site Builder is a site building platform for WordPress that is very popular with web developers who cite the intuitive user interface, class-based CSS, and clean, high-performance HTML code it generates as features that they rise above many other site builders. What sets this site builder apart is that it’s built for developers who have advanced skills, allowing them to create pretty much anything they want without having to fight the built-in code that typical drag-and-drop site builders are meant for to non-developers.
An advantage of the Bricks site builder is that there is a community of third-party plugin developers that extend the power of Bricks to make it faster to add more website features.
The BricksUltimate plugin for Bricks Builder is a third-party plugin that makes it easy to add features like breadcrumbs, animated menus, accordion menus, star ratings, and other interactive elements to your page.
It is this plugin that has sparked controversy in the WordPress developer community by adding anti-hacking features that many in the WordPress community consider a “very bad practice” and others refer to it as “malware”.
BricksUltimate measures against piracy
What is causing the controversy seems to be a script that checks for a valid license. It’s not clear exactly what’s installed, but according to a developer who examined the plugin’s code, it appears a script has been installed designed to hide all posts on the entire website if it detects a pirated copy of the plugin ( more information on this below ).
Plugin developer Chinmoy Kumar Paul downplayed the controversy, writing that people are “overreacting.”
One in progress discussion in the Dynamic WordPress Facebook group on the anti-piracy measure BricksUltimate has over 60 posts, with the vast majority of posts opposing the anti-piracy script.
Typical reactions in this discussion:
“… hiding a backdoor that reads the client’s database, is itself a breach of trust and shows malicious intent on the part of the developer.”
“I simply refuse to support or recommend any developer who thinks they have the right to secretly add a malicious payload to software. And then when confronted they defend it and see no wrong. Absolutely unacceptable and I’m glad the community has joined in saying that this approach should not be tolerated…
“…the fact that the code is there is terrible. I wouldn’t leave a plugin with this kind of backdoor anywhere, let alone anyone doing it for a client site. This completely ruins the plugin for me !”
“This man and his company could easily be reported and exposed to the General Data Protection Regulation Authority (GDPR) in any EU country for injecting undeclared ‘monitor’ code that has unauthorized access to databases and that it actually behaves like malware! !!!!!It’s just amazing!”
One of the developers in the Dynamic WordPress Facebook community reported his findings on what the anti-hacking script does.
They explained their findings:
“My colleague and I have investigated this. Of course, we are not backend experts. Our findings are that the plugin has encoded code that is not human-readable without decoding.
This code is an additional remote license check. If it fails, it appears to overwrite the values in the wp->posts database, making all posts of all post types unreadable by WordPress.
It looks like it won’t delete them completely as suspected, but it does appear as deleted in the interface for any non-expert users.
It seems to have been implemented in 1.5.3+ BUs and since there are no posts here from legitimate users, I tend to trust Chinmoy that it is very unlikely to affect legitimate users.
Now, my colleague had a hacked version of the plugin, but unfortunately she wasn’t aware of it because it was purchased as a legitimate version from a third-party vendor.”
BricksUltimate Developer Response:
Plugin developer Chinmoy Kumar Paul, posted a reply in the BricksUltimate Facebook group.
They wrote:
“Re: Some programmers are bypassing the license api with some custom code. This time plugin is getting activated and working fine. My script just tracks those sites and checks the license key. If not it matches the data is deleted.But it’s not the best solution.I was just testing.
Next time I will improve it with other logics and tests.
People are just exaggerating.
I am still looking for the best solution and updating the codes as per my report.
…Many unwanted users are sending the problem by email and I am wasting my time for them. So I’m just trying to find the best option to avoid that kind of thing.”
Several BricksUltimate users defended the plugin developer’s attempt to fight users with pirated copies of the plugin. But for every post defending the developer there were others expressing strong disapproval.
Developer backtracks on anti-piracy measure
The developer may have read the room and saw that the move was very unpopular. They said they had reversed course to take action.
They insisted:
“…I said I will change the current approach with a better option. People don’t understand the concept and spread rumors here and there.”
Backdooring can lead to fines and jail time
Wordfence recently published an article about backdoors left by developers who intentionally interfere with or damage a website by publishers who owe them money.
In the post titled: PSA: Intentionally leaving backdoors in your code can lead to fines and jail time they wrote:
“One of the main reasons a web developer might be tempted to include a coded backdoor is to make sure their work isn’t being used without payment.
…What should be obvious is that intentionally damaging a website is a violation of the laws of many countries and could result in fines or even jail time. In the United States, the Computer Fraud and Abuse Act of 1986 (CFAA) clearly defines the illegal use of computer systems. Under 18 USC § 1030 (e)(8), simply accessing computer systems in a manner that uses privileges or access levels higher than permitted is a violation of the law. In addition, intentionally damaging the system or data is also a crime. The penalty for violating the CFAA can include prison sentences of 10 years or more, in addition to large financial penalties.”
The fight against piracy is a legitimate issue. But it’s a little more difficult in the WordPress community because the WordPress license specifies that everything created with WordPress must be released under an open source license.
Featured image by Shutterstock/Dikushin Dmitry
[ad_2]
Source link
