Google WordPress Site Kit Plugin Grants Search Console AccessSecurity Affairs

    agency experts have found a critical bug in the official Google WordPress Site Kit plugin that could give hackers access to landing pages in the Google search console.

    The Site Kit’s WordPress plug-in enables easy configuration and installation of Google’s most important products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimization and AdSense). Users receive online information and up-to-date advice on how to succeed with more than 300,000 active installations.

    Wordfence experts have found a critical bug in the Site Kit plugin, which can be used by authenticated attackers to give the owner access to the Google search console for target pages.

    This disadvantage makes it possible for every authenticated user, regardless of the possibility, to become the owner of the Google Search Console for every site that uses the Sites Suite with the Google plug-in.

    scope of services

    The vulnerability is caused by the disclosure of the proxySetupURL, which is included in the HTML source code of the administrator’s pages. It is used to redirect the administrator of the site to Google OAuth and start the process to check the owner of the site via a proxy.

    To establish the first connection to the Site Kit and the Google search console, the plugin generates the proxySetupURL, which redirects the site administrator to Google OAuth and starts the process of controlling the site owner via a proxy server.

    Due to the lack of performance validation of the admin_enqueue_scripts script, proxySetupURL was displayed in the HTML source code of the administration pages to any authenticated user accessing the /wp-admin control panel.

    The experts also noted that another problem relating to the verification request used to check the ownership of the site was an action registered by the administrator who could not check whether the requests came from an authorised WordPress user.

    Using two vulnerabilities, an attacker can take possession of Google’s search console, which allows him to change sitemaps, remove pages from Google’s search results pages (SERP) or activate a Black Hat SEO campaign.

    Both disadvantages have enabled users at subscriber level to have the Google search console on any relevant site, Wordfence continues.

    The owner of the Google search can z. B. Request for removal of URLs from Google search, viewing competitor performance data, changing sitemaps, etc. Illegal access to a site by the owner of the Google search engine can affect the visibility of the site in Google search results and affect profits because the attacker removes the URL from the search results. Specifically, it can be used to help a competitor who wants to harm the rating and reputation of the website to improve its own reputation and rating.

    The good news is that Google sends an email when new owners are added to the Google search console, so administrators can remove the unknown owner.

    As an additional precaution, the administrator can also reset the connection to the WordPress Site Kit so that all previously connected Google services must be reconnected.

    Wordfence discovered on the 21st. April a problem with escalating privileges and reported it on the 22nd. April at Google.

    Google discovered the vulnerability on the 7th. The month of May ended with the release of the 1.8.0 site kit.

    At the time of writing, more than 200,000 website owners have updated their Site Kit plug-ins, but more than 100,000 websites are still vulnerable.

    Pierluigi Paganini

    (Security issues – Site Kit, Hacking)




    Recent Articles

    X-rated ads on the derelict corner of the accountants’ website • Register

    A forgotten subdomain on PricewaterhouseCoopers’ dotcom has been hacked to promote pornographic sites and applications, which clearly shows why DNS records should not be...

    CERT-GIB records upsurge of phishing resource blockages as duration of attacks growsSecurity Affairs

    Group-B, a Singapour-based cyber security company, has noted an increase in the life expectancy of phishing attacks in the second half of 2019. This trend,...

    GSP COVID-19 App-The Peak of Neoliberal Paternalism or National Benevolence?

    There is no doubt that technology made life more bearable during the global pandemic. From the use of unmanned aircraft to deliver medicines and...

    Getting Zoom Security Right-8 Family and Friends Tips

    If you have read the newspaper or seen the news in recent weeks, you will notice a general topic discussed by all the major...

    Nemty Ransomware-Teaching by Doing

    Brief summary The 20th. In August 2019, McAfee’s Advanced Threat Research Group (ATR) discovered a new family of repayable programs called Nemti. This is a time...

    Related Stories