How to Botch a Security Vulnerability Discovery – WooThemes Case Study
Posted on by Zuly GonzalezCategories Case Study, Security, Web Security11 Comments on How to Botch a Security Vulnerability Discovery – WooThemes Case Study

Yesterday, Jason Gill disclosed a bug in the WooThemes WooFramework that allows any website visitor to run and see the output of any shortcode.

WooThemes is a popular WordPress theme maker that is used by thousands of websites. If you have a website powered by WooThemes, please update to the latest version right away.

This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.

It would be trivial to identify common insecure shortcodes and then attempt them against common WooThemes to attempt to run malicious code on the remote server.”

Jason goes on to say:

This is only “half” of the equation. I have already seen numerous hosting accounts compromised via a more malicious form of this attack which I have not published. In fact, finding a number of sites running WooThemes all compromised in the past 4 days via the contents of shortcode-generator/ lead me to take a quick look through the code to try to find the attack vector and I found this.

The response from the WooThemes folks to this security vulnerability was less than stellar. This is a case study into the mistakes made by WooThemes during this incident that should hopefully serve as a model for what not to do.

WooThemes Case Study

Mistake #1: Not providing a clear way to be contacted


After Jason disclosed this security vulnerability many people chastised him for doing so publicly, instead of privately contacting WooThemes. And while I agree with those sentiments, Jason points out that he searched for a security notice email address and didn’t find one. He added, “Even as a paying customer the only way to get support is via their public forum.”

In all fairness to WooThemes, I found this post providing customers with the and email addresses. They also seem to be very responsive via their Twitter account. So, although maybe not ideal forms of reporting a security vulnerability, there were ways to contact them privately to at least initiate the discussion. Now, I don’t know if Jason attempted these options first, and simply received no response.

In any event, the point is that although the above support email addresses are available, WooThemes must not have presented them in a way that a person smart enough to discover a security vulnerability could find. This should have been clearly spelled out on their website.

Mistake #2: Quietly releasing a patch to a security vulnerability

This is by far the most egregious mistake. According to the WooThemes folks, they had already fixed the bug and released an update by the time Jason publicly disclosed it.

However, it appears that they neglected to announce this new update to their customers, which meant that many of them continued to use the vulnerable version. I found no mention of the update or details about the security vulnerability on the WooThemes blog. And they apparently neglected to alert their customers via email as well.

What’s the point of patching a security bug if you don’t inform your customers? If they are unaware of the need to update they are unlikely to do so. That helps no one.

Jason points to a single tweet made at 5:30am by WooThemes as the only announcement made to customers about the need to update. “We found a minor vulnerability in the WooFramework, which we’ve just fixed. Please update to the latest version ASAP!” However, that tweet pre-dates the date WooThemes claims the patch for this security bug was released. So, it’s highly unlikely that tweet was related to this security patch.

[blackbirdpie url=”!/woothemes/status/192545687051829248″]

I don’t know why they neglected to inform customers about this. Maybe it was a simple oversight. Maybe it was intentional in the hopes that no one would notice. I don’t know. But the reason doesn’t really matter. What matters is that it happened, and the impression it gives current and potential customers about their security practices.

Mistake #3: Relying on their broken auto-updater

FaceplantThere’s no excuse for not alerting their existing customers of this security patch. However, their excuse seems to be that they rely on their auto-updater to push the updates to their customers. This is a flawed idea.

First of all, this requires their customers to 1) happen to log in to WordPress, and 2) care enough to install the update right away. This puts all the burden on their customers. This procedure may be fine for non-security related updates, but for critical security patches a business needs to be more proactive.

In fairness, usually it is the end user’s responsibility to install software updates. However, reputable businesses will inform their customers, as well as the general public, when a security update is released, what security issue it is fixing, and the severity of the vulnerability.

If people are unaware what the update is for, there is no urgency. Software updates sometimes break existing functionality. Therefore, unless it’s security related, there are those that don’t install updates right away.

“Additionally, even if the issue is patched, my link above still works – which means that the patch clearly isn’t working or hasn’t been applied to WooThemes own servers.”

Secondly, it just so happened that their auto-updater was broken during this time, and was not properly pushing out the updates. So, even if you did log in to WordPress (and usually install non-critical updates in a timely fashion) you would not have seen this update available.

The Perfect Storm

All of these mistakes combined, plus the fact that WooThemes’ servers have been under a DDoS attack for over twelve hours now is making for a very unpleasant time for the WooThemes folks.

The good news is that this has surely been such a trying time for them that they are unlikely to repeat these mistakes again. That means:

  1. Having a clear way for people to privately report security vulnerabilities.
  2. Promptly informing their customers when a security patch is available.
  3. Ensuring their updates are available to all customers.

Jason sums it up well:

The moral of this story is: WooThemes is a great company and makes a great product, but they have grown to the point where security needs to be a real concern. A proper channel to alert them of these issues, along with prompt and honest email notifications of updates to their customers (free and paid), and a publicly-accessible security/updates site (a la RedHat’s RHSA system) are all long overdue. This isn’t just a jab at WooThemes either – a review of almost any paid or free theme will surely come up with many issues like this.

What security lessons have you learned from your mistakes?

What Bootstrapped Startups Can Learn From Rick Santorum
Posted on by Zuly GonzalezCategories Case Study, StartupsLeave a comment on What Bootstrapped Startups Can Learn From Rick Santorum
U.S. Capitol building inauguration
Image credit: Alex Barth

Oftentimes we look to other startups’ successes and failures as a roadmap for our own ventures. While that’s a smart strategy, I think much can also be learned from outside the startup scene – something we rarely consider. This is an unconventional case study that looks outside of startups to gather useful lessons learned.

Politics aside, Rick Santorum’s recent rise in popularity has been a great feat, and one that deserves a closer analysis. There are three important lessons for bootstrapped startups in Santorum’s story.


As recently as Dec 20, 2011, a Real Clear Politics average had Rick Santorum polling at 8.6% as the likely 2012 GOP nominee. And previous polls rarely had Santorum breaking the double digits mark, if ever. Fourteen days later, on Jan 3, 2012, Rick Santorum placed second in the 2012 GOP Iowa caucus with 24.5% of the votes. He came in second place to the long standing frontrunner by only 8 votes. It was touted as a major accomplishment for Santorum by many.

So, what happened? How did Santorum accomplish this? And what can bootstrapped startups learn from him? Let’s take a closer look.

Case Study: Rick Santorum

Lesson #1: Money Isn’t Everything

In the weeks leading up to the 2012 GOP Iowa caucus, the candidates spent millions of dollars in TV advertisements – a total of about $9.7 million.

Out of that $9.7 million, Rick Santorum spent the least on TV ads, coming in at a little less than $22,000. Compare that to Rick Perry, who alone spent over $4.5 million (and only received 10% of the votes). And even when you take into account money spent by external sources (i.e. not the candidates’ own pocket), Santorum’s total dollar amount spent on TV ads is second to last.

So, clearly, having lots of money at your disposal is not a recipe for success. Money helps, no doubt about it, but money without proper execution won’t get you very far. You need to convert that money into traffic, paying customers, and profit.

Let’s consider an example we’re probably all familiar with:

Color raised $41 million pre-launch! That’s an astronomical amount of funding for such an early stage startup. Yet, by all accounts, they have been an absolute failure.

Why they failed is up for debate. There were probably several factors that led to their lackluster results, but why they failed isn’t important (at least not within the context of this blog post). The point is that they had $41 million at their disposal, and still failed.

Compare Color to Balsamiq, a bootstrapped startup that went from $0 to $2M in 27 months. Balsamiq’s success is a result of a great product, good customer service and hard work, which takes us to lesson #2.

Lesson #2: Hard Work Pays Off

Santorum proved that hard work pays off. Of all the 2012 candidates, Santorum spent the most amount of time on the ground in Iowa. He spent a total of 104 days in Iowa. He was one of only two candidates to visit all 99 counties in Iowa. He hosted 381 townhall meetings with the people of Iowa, and took the time to address concerns even if just a single person attended.

As a comparison, Rick Perry spent just 35 days in Iowa. And although he overspent his opponents in TV ads by several million dollars, he only secured 10% of the votes.

Rick Santorum worked hard, very hard, more than any other candidate did in Iowa, and he reaped the rewards.

Persistence and determination go hand in hand with hard work. Just a few days before the caucus, Santorum was polling in the single digits, and was written off by almost everyone. That has to be a demoralizing position to be in. Yet Santorum ignored the negativity and pushed ahead with a positive attitude. His perseverance paid off in a big way.

Patience is key, too. Those that give up easily at the first sign of trouble will never succeed. If it were easy, everyone would do it, right?

Lesson #3: Communicate With Your Audience

You must be a good communicator. You must effectively communicate your value proposition, and play up your strengths. You must be approachable, and willing to listen to your customers. Ask them questions, listen to their concerns, and show them how you can eliminate their pain.

But first, you need to know who your audience is. Who is your ideal customer? And who are you targeting your message to? This is an important first step that is often overlooked, and the answer isn’t always as obvious as we originally assume. If you can get this right, the rest will follow much easier.

Going back to Rick Santorum’s case study, Iowan demographics are well known. Evangelicals and social conservatives regularly make up more than 50% of GOP caucus goers. As a social conservative, Rick Santorum used that to his advantage in a big way.

Santorum spent a big portion of his time in Iowa talking about social issues. He built a cohesive message around social issues, and sold himself as a true social conservative. He compared himself to his competition, and properly explained how he was more of a social conservative than his opponents.

However, this wasn’t a one-way conversation. Santorum didn’t just plaster the airwaves with messages about his values. Instead, he made himself available to the people of Iowa, and discussed issues with them in person. He held 381 townhall meetings, and allowed them to ask him unrehearsed questions and push him for answers that made sense.

Lastly, Santorum garnered the support of key evangelical leaders in Iowa. These influential leaders spoke on his behalf, and steered many evangelicals towards him. Think of this as having testimonials on your sales website from industry leaders.

The End Result

These actions resulted in Santorum being 8 votes shy of first place in Iowa – a tremendous accomplishment for someone whose campaign was on life-support just weeks earlier.

That said, taking into account the volatility of this race, it’s likely Santorum’s popularity will fall – just like his opponents rose and then fell in popularity. I don’t think that makes his recent accomplishments any less admirable, but it is bonus lesson #4: Don’t fall asleep at the wheel.

Following Iowa, Santorum only spent 6 days on the ground in the following state’s primary (New Hampshire), which resulted in a fifth place placement for him. A somewhat recent startup example that comes to mind is Digg. Remember when everyone wanted to be on the front page of Digg?

Disclaimer: Light Point Security, LLC does not endorse Rick Santorum, or his political views. This is just an interesting story that has some lessons for bootstrapped startups.