Security Update!
It’s not just a bug fix, but a long process of identifying what it is, how can it be handled, and then fixing it up.
We recently worked on one. And, here’s we are sharing what happened behind the scenes, the process we followed, and takeaways for all of us.
On 4th of May, 2020, we released an update with security improvement in the Ultimate Addons for Elementor version 1.24.2.
This vulnerability was discovered in our internal audit and we patched it on the same day. We’ve also transparently sent out emails to customers informing them about this and advised them to update the plugin as soon as they could.
So, what happened?
In an effort to improve the security of our plugin, we were auditing a plugin code in which we found a bug in the User Registration Form widget of the Ultimate Addons for Elementor.
The User Registration Form widget is used to create a customized registration form. With this, you can beautify WordPress registration forms with advanced features like auto-login, anti-spam Honeypot protection, reCAPTCHA, etc.
The most common websites that are likely to use a User Registration Form are eCommerce websites, membership portals, eLearning websites, or any other website that requires a user to register before they can submit a comment on a blog post, etc.
As soon as you add this widget on the page you see the following instruction –
It says that you need to enable the “Anyone Can Register” setting from the dashboard to use this widget further.
This setting was allowing visitors to register as a Subscriber into the website.
Users with the Subscriber user role cannot write posts, view comments, or do anything at all inside your WordPress admin area. They can only manage their profile.
But this gave access to login to the website.
So, where do we go from here?
As soon as we found this bug, we patched it on high priority, releasing the update for the plugin within 4 hours.
We also got in touch with our customers, letting them know about the security fix, and advising them to update their websites as soon as they could.
But…
In response to our Security Update email, few users wrote to us claiming that they found some additional unidentified files on their server.
We looked into it right away but found it wasn’t caused by the Ultimate Addons for Elementor.
Next… It was not the Ultimate Addons, then what was it?
Our team took one step ahead to find out the cause for this and noticed another bug in Elementor Pro’s Custom Icons feature.
We scanned the issue and noted all our findings that would help fix this bug ASAP. Since this security bug was coming from Elementor, we wrote a quick email to the team at Elementor with a detailed PoC.
Like always, the team at Elementor was quick to respond and were positive on getting this fixed ASAP.
While part of our team was still working on fixing things in our addons, a few were making notes of everything needed for the Elementor team to work on theirs.
Quick enough, the Elementor Pro team released an update for this patch in version 2.9.4 on 7th of May, 2020.
Timeline
May 4th, 2020 [4:50 PM] – We found a vulnerability in Ultimate Addons in our internal audit
May 4th, 2020 [4:39 PM] – Team suspected few issues in elementor Pro and we dropped initial mail to the Elementor team.
May 4th, 2020 [9:10 PM] – We patched security issue and release an update for Ultimate Addons
May 4th, 2020 [11:25 PM] – Sent our emails to users informing about security patch
May 4th, 2020 [11:49 PM] – Received first email claiming that unidentified files are found on their server.
May 5th, 2020 [10:00 AM] – The team started digging for the cause of this. Meanwhile, we received a few more such emails.
May 5th, 2020 [06:00 PM] – We found the exact issue coming from Elementor Pro and provided a detailed Poc.
May 7th, 2020 – Elementor Pro team released an update for this patch in version 2.9.4
Helping our customers to keep their sites secure
We did receive tickets from users who were not sure what happened and were worried about what to do. We are sending simple and quick guidelines to everyone who’ve expressed their concern through their replies to our email.
And finally, we smiled when users wrote back saying they were thankful for the timely action taken.
Take away for all of us!
We as product developers should take the utmost care when it comes to security. Though we think we have build full-proof products we might come across security vulnerabilities. We agree this can be a tough time but taking quick and smart actions can save our users websites from being compromised.
So here we are sharing few guidelines we personally follow to make our product more secure everyday –
1. Conduct a regular security scan – While developing awesome features for your theme/plugin, make sure to work delicately on checking the security of the plugin.
2. Encourage developers to use advanced tools – Help your developers to learn and use new tools. Our in house developers use tools like – ###
3. Never ignore security vulnerabilities (inspect on high priority) – May you find it in your regular scan or any of your users report it, make sure you dive deep into it. Find the cause on urgent priority so you can prevent big losses in the future.
4. Patch backdoor immediately and send out updates – Fix security issue as soon as possible – within few minutes or hours. make sure to release update immediately.
5. Don’t hide it from your users – Send out news about security fix to users, because they are one who might suffer this unintentional error. Alert them to update the product to the latest version to avoid any loss.
We take security very seriously!
We sincerely apologize for the inconvenience this might have caused but assure you that security is of utmost importance to us. We dive in to fix every bug we might come across making sure that our plugins remain usable and reliable for every user using it.
We believe that accepting mistakes and taking immediate action will prevent the worse. And therefore, we make sure that every user is informed about a security fix and asked to update the plugin immediately. And, that’s how we do it through email.
Nothing is perfect – but we certainly work to reach that close! We are together in – Fighting Security Vulnerabilities!
Get in touch with us for any help you need.
Stay Updated! Stay Safe!
