Sucuri discovered the vulnerability, and informed the MailPoet team, gave them information and time to fix the issue. The MailPoet team did resolved it, but Sucuri disclosed the vulnerability to the wild just within 24hr of MailPoet released the update at WordPress.org.
This is not a Responsible Disclosure! We all are glad to Sucuri that they discovered the issue and informed the developer, but how on earth they expected a plugin which is downloaded more then 2 million times, and one of the most used plugin in its sector, could force their user to update to latest version within 24hr?
Result – 50 thousand WordPress site hacked using this exploit!
Who to blame? The security firm that we all love or their Responsible Disclosure?
MailPoet Team wrote this – http://www.mailpoet.com/sucuri-hack-lessons-learned/
Sucuri replied in their blog – http://blog.sucuri.net/2014/07/responsible-disclosure-sucuri-open-letter-to-mailpoet-and-future-disclosures.html
# Their biggest mistake is the way they pointed the issue in their changelog, check. the version 2.6.7 does not state about the severity of the security issue. I understand how they also need to keep their user clam, but vulnerability is not something that is someone’s fault, in software there will be always issues, but it does not mean to keep your reputation you could lighten a matter like this.
# The time-frame. I am also not convinced that it should have took them 15 days to come up with a fix for this level of vulnerability. They should have promptly release a quick fix.
# I think they are pissed as MailPoet released fix 15 days later, and did not had any serious mention(had simple mention no disclosure) of Sucuri and their findings in their plugin changelog. So they wrote the blog post on July 1st, so bring lights on it.
# But their this move caused lots of issue. Even if MailPoet was kind of lousy, still as the spokesperson of open and safer web you cant put millions of user in danger, but this is what happen, thousand of sites got hacked.
Sucuri thinks they are absolutely correct, and they will do the same in future!
Brother, great power comes with responsibility. Try to think about all those millions of normal user. I mean come’on who updates his blog every single day? Is that even practical? Auto update will soon work far more smoothly, then we might overcome this sort of issue. But, now we need to act with more responsibility!
This discussion got major attention at Advance WordPress group at Facebook, take a look.