pipdig: Your Questions Answered

This blog post is a follow-up to yesterday’s post: Security alert: pipdig insecure, DDoSing competitors.

Firstly, to re-iterate, my accusations are as follows… pipdig did knowingly and with malicious intent:

  • used other blogger’s servers to perform a DDoS on a competitor
  • manipulated blogger’s content to change links to competitor WordPress migration services to point to the pipdig site
  • harvested data from blogger’s sites without permission
  • used the harvested data to, amongst other things, gain access to blogger’s sites by changing admin passwords
  • implemented a ‘kill switch’ which drops all database tables
  • deliberately disable other plugins that pipdig has decided are unnecessary, without asking permission
  • hide admin notices and meta boxes from WordPress core and other plugins from the dashboard, which could contain vital information

Unfortunately, a lot of my entry (which was aimed at a more technical audience) was not easily understood by bloggers. My apologies first and foremost; it’s been a long time since I’ve written anything technical aimed at a non-tech audience and I’m out of practice at breaking this stuff down. Please bear with me while I attempt to do so now!

I use a pipdig Blogger theme, am I affected?

No, this only affects WordPress users.

I am now recommending that all pipdig users, regardless of their platform, move away from pipdig at the earliest possible convenience.

UPDATE 2019-04-02 20:10: In light of new evidence from Wordfence I categorically recommend that ALL pipdig users should distance themselves from the company as soon as possible.

What is a DDoS and why should I be bothered?

A DDos (Distributed Denial of Service) is a type of computer attack that uses multiple compromised systems to overwhelm a single ‘victim’ system with the intent to bring down that system. In this case, pipdig placed code in their p3 power pack plugin which used their customer’s hosting (their servers) to attack a single competitor (the victim). You, the pipdig customer, are the compromised system.

Imagine standing in the middle of an empty room. Suddenly, thousands of people come into that room all at once and start shouting HELLO at you. Your brain wouldn’t be able to cope with all the simultaneous requests and you would shut down; the same applies in this case to the victim’s server.

You should be bothered because it is not only morally and ethically a massive shitshow, but is also very illegal.

What’s this kill switch/DROP TABLES thing?

The pipdig plugin contained code that could remotely remove all of your database tables. The database is where all of your blog information is stored: your blog posts, blog comments, pages, settings, widget contents, any tweaks you’ve made via the Customiser, etc. Executing this code would wipe your entire blog and unless you had a recent back-up (which most bloggers don’t) you’d have to start again.

Does your previous blog entry cover everything?

No. There were some elements of the code that I didn’t cover because the post was already 2000 words long. There’s a file that was returning multiple blog migration competitors that I was yet to discover the meaning behind. There is code that disables a competitor host’s cache to slow their servers down (hat tip: mama geek for spotting this one) I have multiple versions to get through and I’ve not discovered everything yet.

I am a pipdig hosting customer, does this affect me?

The technical aspects of this do not currently impact upon pipdig customers. There was code in place to bypass all of the malicious bits for these customers. However, you have to ask yourself: do I trust my data with a company that knowingly and deliberately sabotaged competitors and compromised blogger’s sites?

I am a pipdig theme customer, what do I do now?

Take a back-up of your WordPress database and files. Disable the p3 power pack plugin then activate a non-pipdig theme. Once you’ve done that, delete both the plugin and theme off your server. Yesterday I recommended using WP Crontrol to find and delete the related cron jobs but this is strictly speaking unnecessary if you remove the plugin as they’ll fail anyway. Take another back-up of your database and files. Keep taking back-ups on at least a weekly basis (this is general advice, everyone should do it!)

Do you have a vendetta or personal thing against pipdig?

No. I have no experience of pipdig, nor do I believe I’ve ever dealt with any of their staff or coding prior to this week. My sole interest is to ensure the ongoing safety of other bloggers. This isn’t a new thing, I’ve been campaigning against bad coding and security issues since 2004. I have been quoted in technical publications for previous work in this area. I’m not just a numpty with an axe to grind.

Why should we trust you?

You shouldn’t. I’m a nobody as far as you’re concerned. However, a huge range of developers from a broad range of technical backgrounds have verified my findings. Wordfence, one of the biggest providers of WordPress security products, independently found the same technical and security issues with pipdig code.

How do I fix this?

My recommendation is to remove the pipdig p3 power pack plugin, remove any pipdig themes and activate a free theme (even if it’s just the standard twenty nineteen, until you find one you like). While pipdig released an update removing the malicious code after Wordfence contacted them about their findings, there’s nothing to stop them from rolling this out again in future.

Are you sure this isn’t some developmental accident added in recently?

Yes. I have 7 previous versions of the power pack plugin dating as far back as 2017, as well as the version I based yesterday’s post on, and they all contain either all or parts of the malicious code in question.

Why would pipdig do this to their customers?

Good question. I’d recommend asking pipdig as a first port of call. However, there are several reasons why they might have done this:

  • Sabotaging a competitor theme provider makes it harder for bloggers to buy viable alternatives, leaving pipdig as the best option
  • Sabotaging competitor host providers allow pipdig to lean in with their gold standard customer service and offer their hosting as a “better alternative”
  • pipdig made some half-arsed claim to wordfence that it was related to plugin/license theft and controlling that. While this is at least tenuously feasible, deleting the entire blog of someone because they failed to cough up £30 for a WordPress theme is inexcusable.

pipdig say you’re lying!

OK, not strictly a question. I am aware that pipdig have released a statement claiming that I am lying. Firstly, this statement only serves to attempt to attack my character rather than dispute any of my accusations. Secondly, it addresses only my post, and none of the accusations made by Wordfence or other developers. I can only assume they think that because I’m “just a blogger” I am the easiest target. They are really very wrong.

Isn’t this slander/libel?

It’s definitely not slander, because slander applies to the spoken word. It’s also not libel, because I have evidence to back up my claims as well as the support of an entire industry also backing up my claims.

Why didn’t you get in contact with pipdig before writing your post?

In normal development scenarios, where a security bug is found, it’s absolutely imperative that the bug is disclosed to the software or code vendor to give them time to release a fix protecting their customers. In this case, because pipdig are the cause of the issue, this does not apply. I did not wish to give pipdig time to hide their wrongdoings, and I knew that the customers would be better protected by going public: forcing pipdig to fix the issue. This logic was proved as they’d already started to cover their tracks by the time I’d published my post; I had assumed at the time that they’d pick up on my traffic to their malicious files, but the evidence now suggests that Wordfence’s contact tipped them off.

You were rude to me, why should I believe you?

Was I actually rude to you, or did I reply to a statement you made or question you asked in a forthright manner direct and to the point? Because I very much abide by a simple set of rules when it comes to conversation: say what I mean and mean what I say. Being upfront with you isn’t rude.

But you called me an idiot!

OK, I was rude to you. But you probably were being an idiot.

I have a question that’s not answered here

Pop it in the comments, via email or in a DM and I’ll answer it as soon as possible. Please bear in mind I have a young family and a business of my own to run, so this may not be straight away.

6 comments so far

  1. Alex said:
    On 01 Apr at 2:51 am

    Interesting stuff, Jem.

    It looks like they want to take legal action, will you be putting together a P3 (lol) to show code examples responsible for the certain features?

    I think this would seal the deal in many developers minds and get this story even more exposure.

  2. Benji said:
    On 01 Apr at 11:56 am

    Taking a look at replies to pipdig’s tweet, their customer base seem to be bunch of non-techs that blindly trust pigdig even with all the proofs, so i think they deserve to have their sites compromised

  3. Ryan said:
    On 02 Apr at 2:13 pm

    As a professional security consultant, I have exposed a couple of companies publicly in the past that were engaging in questionable behaviour. Pipdig’s response, and handling of this situation in general, is awful, and only compounds their guilt.

    They have tried to attack your character, it looks like they may have threatened legal action, and they have attempted to cover their tracks.

    From my previous encounters in similar situations this is typical of companies that care very little about their customers, their product’s quality, or the community in general.

    Even if you’re thick skinned, which it seems that you are, I know it does get to you, even if it’s just a little bit. But, you did nothing wrong, no matter how much they try to make you think you might have. They are the ones in the wrong.

    And don’t worry about the legal action, I’ve had these threats in the past, and it never went further than empty threats. This is the only way they can retaliate after you exposed them for what they are.

  4. Reena said:
    On 04 Apr at 7:57 pm

    Hi Jem,

    As a blogger, I just want to say a HUGE thank you for looking into this and your comprehensive posts. I’ve taken your advice on board and disabled the P3 plug-in and installed a placeholder theme. I’m so disappointed as he preyed on bloggers who may not necessarily have the technical skills or knowhow to spot this. I only installed my theme with them in Feb so it feels like a huge betrayal as well as a waste of money…but I’d rather know and keep myself (and others) safe so thank you.

    Reena