Colin Devroe

Reverse Engineer. Blogger.

Major security problem on (a non-issue, see update)

August 13, 2009

Summary update: If you read this entire post you will learn that it was only my account, and the account of the company that I had access to, that was affected. This was not a widespread issue with all accounts. Here is what I learned from all of this.

— original post below —

This will be a live blog of sorts to keep track of the events taking place right now. About 25 minutes ago, at 9:30am EST, I logged into my account to check my blog’s stats for my post about WordPress Short URLs. I noticed that, in addition to my normal account statistics being there, I also had access to a very high profile, VIP account (who shall remain nameless until Automattic replies).

At 9:31 I called team Automattic’s 877 # on their contact page. Left a voice mail message detailing exactly what is going on and letting them know I’m willing to help in anyway that I can.

About 20 minutes later, after not having gotten any replies yet, I emailed Matt Mullenweg‘s personal email account. Knowing that he’s probably still asleep on the West Coast – I didn’t expect it to help too much but I thought I’d try anything.

About 10 minutes later I figured other people that have accounts should probably know – so I sent an email to detailing what was happening – but not giving out any restricted information (not even the name of the account that I currently have access to).

When Automattic has the chance to respond, fix the problem, and notify the account that I have access to about the breach – I will update this post with further information. I respect the team at Automattic and I want to give them the chance to fix the problem and address their customers and community before I go any further or release any information as to how this happened and what accounts were affected.

10:30am EST: I’m trying to find a good way for all users to protect themselves until the Automattic team can get to this issue. But I haven’t found much in the way of shutting off access to a account. If any one knows a way, please leave a comment. However, I can suggest that you should log into your account, check out the Authors & Users area and be sure that no one is in there that shouldn’t be.

10:45am EST: Suggestion from friend Chris Coleman: Back up your WordPress blog. Duh! To do this, log into your account, click on Tools > Export and download the file. At least if someone hacks in you’ll be able to restore your blog to normal once this is fixed.

10:55am EST: It seems that my access to the account that wasn’t mine has now been revoked (or fixed). Still no word from Automattic yet but I’m assuming that either the error fixed it self, that the team’s priority was to fix the problem before contacting me, or perhaps an employee at the company whose account I had access to noticed that my user account shouldn’t have been there, and so deleted it.

Stay tuned. I’m hoping to hear from them soon. I will release the account I had access to once they confirm the problem is fixed and they’ve notified that company. I also have screenshots for proof but I am not sure if they’ll want me to share them.

11:10am EST: Someone from Automattic, Hanni Ross (who I don’t see on the team page at all though is a team member), contacted me via AIM and said that this was human error. A one time, one account, issue. Somehow my account and the account of the company’s site that I had access to was – by a human somehow – connected.

To be completely honest I don’t buy it. [Edit: I don’t mean for this to sound as though I don’t believe Hanni. I just didn’t believe that this was a one time thing. More below.] But, as I said earlier, I have a lot of respect for everyone involved with Automattic and so I will take it for what it is. I’ve asked that the company be notified of what happened and that, in some way, it be confirmed that this was not a widespread issue. Hanni mentioned that she’d rather not have me mention the company’s name (which I haven’t yet) but I plan on doing so once the company is notified. If they aren’t, I plan on notifying them. I’ll also explain my reasons why later.

11:40am EST: First, I’ve edited the above paragraph. I never meant to bring into question the integrity of anyone at Automattic. I simply found it hard to believe this problem only effected my account.

I had a chat with Toni Schneider who explained exactly what happened, why it was a one time thing, and what they are going to do to try to make sure it doesn’t happen again in the future.

It turns out that when new VIP accounts are created and imported (perhaps from other blogs) the WordPress team creates the user accounts, imports the older blog posts, and other tasks using their own tools to do so. It turns out that whomever was setting this one up accidentally put in my username rather than, perhaps, one that the company wanted. Either that or there is another cdevroe floating around out there. If there is I bet their handsome.

Toni also said that they’d notify the company about this situation so that they have the opportunity to go through their current user access list to be sure there aren’t any other mistakes. Also that they’d create a check when running this routine again to try to help verify no user error.

I asked Toni what the best way to notify the WordPress team about something like this was (since I tried everything that I could think of and had the power to do) and he said to email because they have people “checking that email constantly”.

I’m happy with the way this situation turned out. I’m glad it was me that got access to this account and not someone that would have been willing to fool around with blog posts or other content on that company’s high profile site. I’ll be thinking about whether or not to release any other details about this situation in the future but for now I’m glad to get back to work.