UPDATE 9 Aug 2017: Developer lies about fix
I contacted the developer PixFlow. On the 4th Aug 2017 they replied claiming to have fixed this problem in their latest update, but downloading the zip file 5 days later and the file available is still infected. Not to mention they’ve sold another 100+ copies of the software to completely unsuspecting buyers in the market place. This only seems to backup my claim that this infection is quite possibly being done intentionally by the developer. Which is a very scary thought indeed.
Themeforest and Massive Dynamic Security
Be Aware: This is a genuine security threat to thousands of websites. If you already use Massive Dynamic, you may have already fallen victim and not even noticed. I’ll try not to be all doom and gloom, because honestly that’s not my style. But seriously, stop using it now and run a level 10 diagnostic (or the real world equivalent) ASAP.
Today, 4th Aug 2017 I made a shocking discovery hidden in Massive Dynamic Website Builder‘s source code. I’m not exaggerating when I say this issue is massive either. Having almost fallen victim to it myself, I rather wish I was. The implications would be easier to deal with but we’ll revisit that point later.
What is ThemeForest/Massive Dynamic and Why Should I care?
For those of you who don’t know Themeforest is the largest site in the Envato network, one of the world’s largest and most popular open marketplaces for software developers with “over 1.5 Million active buyers and sellers and over 8 million community members”. In 2016 reported revenues of $73 Million USD.
Massive Dynamic is a theme and website builder for WordPress. It’s one of ThemeForest’s best sellers with current sales of 9,496 units and 49,731 sales made by the developer, rated as a Power Elite Author the highest rank on the site and are probably about to land their very one spot of the sites Wall Of Fame for making over $1,000,000 in sales. In a nutshell they’re a serious contender and a well respected member of the community.
First Impressions Can Be Deceiving
So earlier this week on the 30th of July, After being impressed by the demo version of 4.3 (An important detail later) I got to test, I purchased Massive Dynamic through Themeforest. My hopes were high and this was the first app I’ve been excited about getting my hands on since before Christmas. It had some great unique features, I had a few gripes, but nothing I couldn’t grin and bare, but that changed only a few days later.
Serious Implications For Themeforest?
Themeforest is no stranger to criticism due to it’s lack of quality control, sub-par developers and no returns policy. But it’s the devil you know, temptation is always so cheap and you’re pretty confident that you won’t ever catch anything nastier than several days worth of sleep deprivation, and a mouth ulcer.
James Rose of Content Snare, writes a great post called “8 reasons we almost never use ThemeForest Themes” a great article that beautifully sums up many of my own thoughts, feelings and more importantly frustrations in a pieces that’s fun and light to read.
I know his pain on a spiritual level when he writes “Even as a WordPress veteran, I’ll spend way too long looking through 100 menus for one simple setting that is in a weird place. On a website that only has a few pages. It makes no sense. Sometimes, TF themes make something that should be so simple so damn complex.”
A Second Opinion
Jill Caren of 2 Dogs Media writes about Themeforest in her article “ThemeForest Theme Review: Why We Never Recommend ThemeForest Themes”
In the article she explains common frustration of making the template look anything like it did in the “brochure”.
Jill’s Article Says:
“Most themes are so complex that it will take a lot of work to get it to look like the same you may see on the sales page!
“Even as web developers – we have found many of the themes to be pretty confusing to setup. From complex page templates to scattered admin areas and widgets – sometimes you just do not know where to start.
“Sometimes the instruction that are included are also less then helpful — some we have seen were not even updated to the latest theme version in the interface so what we would see in the admin does not match the images in the PDF help file. Others you could tell English was not their native language and could be difficult to understand.”
Comforting To Hear?
I’d supplement that last part by adding, I’ve experienced plugins and themes that have little more than a couple of sentences briefly outlining the general idea of what something does, but not even one clue how it does it. It’s a bit like the three seashells joke from Demolition Man. It’s funny because they never tell you. Just like the developer is laughing all the way to the bank with your $49. 😉
As a fellow designer and WordPress veteran, it’s certainly comforting to learn you weren’t the only one who found these frustrations and there are probably many with similar experiences. When there are thousands of 5 star reviews, it’s easy to fall into the trap of self doubt.
Not Just Another Vulnerability
Vulnerabilities and exploits in software are very common. Most, if not all software has them to varying degrees. Many articles have been written on the subject, like this one from software developer Scott Norberg and this one by Ashley Phillps on ABC News go as far as saying 100% secure is “Impossible”.
The Exploit Database claims to archive 37,575 at the time of writing. New exploits are found frequently and sometimes patched almost as quickly. Many of the big open source projects have meticulous records of new, current, long life and patched exploits publicly available.
Vulnerabilities and exploits are a serious issue, of that there’s no question. But they’re rarely intentional and require serious knowledge to even call yourself a beginner. The Internet is made up of 10’s of millions of websites, unless your site holds a particular interest, personal or political chances of you being targeted by any hacker skilled enough to breach high level exploits is significantly overshadowed when according to this article in Forbes the vast majority of data breaches are the result of weak passwords combined with employee and thirdparty negligence.
What we know so far?
- Themeforest is a very well established, profitable, generally well respected and most importantly trusted by millions as a safe place to do business.
- PixFlow is also a trusted entity and a long term and established developer.
- Massive Dynamic is a very popular product with almost 10,000 units sold to date.
- There is no restriction installing a single purchase of Massive Dynamic on multiple sites, so it’s possible it’s activate on several times that many website, .
So What’s The Big Deal Then?
Well given that these two entities who are trusted by so many people and as millions of purchases are made every year without incident, millions of buyers confidence that their purchase is clean and safe to use. What I discovered hidden inside a content.xml file in my recent purchase of the Massive Dynamic theme begs belief.
How this went through any sort of quality control unnoticed is actually quite horrifying. I actually discovered it while uploading the theme files to an ipage server I use for testing. It’s not unusual for a few files to fail out of several thousand during an upload to iPage, so I requeued the 8 files in FileZilla and hit process queue for a second time, this time there was still a file that said failed, I attempted to upload several more time, before I realised there was a serious issue, glancing at the log feed in FileZilla the following:
Response: 150 Opening BINARY mode data connection for demo19.zip
Response: 550-Virus Detected and Removed: SiteLock-HTML-SEOSPAM-ige.UNOFFICIAL
Response: 550 demo19.zip: Operation not permitted
Error: File transfer failed
The file in question was packed inside a zip get blocked and filtered
I’m sure you can imagine my reaction. Obviously highly concerned I scanned the zip with several anti virus, but got nothing, so I unpacked it and scanned again… Still nothing. Surely iPage is getting a false positive somehow I thought, so I tried to upload the individual files, again a single file was being rejected, the content.xml file. Knowing that it was safe to view the content of the file in a standard text editor I opened it up in Notepad++
What I found was very concerning to say the least.
The entire XML file was infested with thousand and thousands pornograhy links, wares sites, sexual supplements, viagra, you name it, it was filled almost 20,000 lines of code 90% of which was some of the worst SEO spam I’d ever seen. If even a fraction of it infected a database, it would be a nightmare to get rid of. Not to mention the countless security holes such a thing would leave wide open.
The Scientific Method. Check, Check & Check Again!
It was difficult to believe what I was seeing. I re-downloaded both versions of the source files multiple times, the full documentation and the install only zips, same result everytime. I’ve even had my brother check his version to be 100% sure.
Maybe I’m being really really naive, but I’ve never experienced or heard anyone else finding something this messed up on ThemeForest, or any other trusted software retailer for that matter.
Being such a well established entity as a software marketplace. Common sense would suggest Themeforest and it’s sister sites must have some sort of fairly robust security measure in place to safeguard against developers with less than honest intentions. If not strictly enforced the platform could be used to surreptitiously distribute malicious applications to unsuspecting buyers with relative ease. Fast becoming a serious problem.
So how did something this huge slip by unhindered?
But wait, It’s about to get a whole lot worse.
Remember I mentioned I had an older version 4.3 to demo, well I went back and checked didn’t I?
Yes, it was there clear as day too.
That makes this find even more disturbing, the same virus present since at least version 4.3, it could have been there a lot longer for all I know. But according to the Massive Dynamic changelog, this has gone unnoticed and unfixed for at least 4 updates and at least 3 months. Leaving with the very real possibility this has potentially affects 10’s of thousands of websites already, and no one’s dealt with this, or even noticed it yet?
I’m expecting when this becomes widespread knowledge, it’s going to cause a lot of problems for both PixFlow and Themeforest alike.
If you’re reading this, make sure to hit the share button, or several if you can. Pixflow need to be named and shamed, a de here because as an irresponsible and dare I say potentially malicious developer?
I honestly had really high hopes for this product, and even got my brother excited enough about it to purchase himself his own copy. Which only a few hours later I had to backtrack in a frazy with an ALL CAPS RAGE over Skype. “MATE, DO NOT USE THAT MASSIVE DYNAMIC!”, “It’s got a virus in it”. If I hadn’t caught it before being uploaded to a production server, the downtime to fix it could have cost thousands in lost sales, even in the best case scenario. If it lead to anything seriously malicious breaching security the damage had the potential to be near catastrophic.
Being Security Conscious Just Got A Lot More Complicated
I’m extremely security conscious, and I always meticulously check and scan files and folders if the software was from anyway that I had any doubts about. But when something as serious as this comes part and parcel in a paid for product from a seemingly well founded and respected development team, with many thousands of happy customers and almost 50,000 product sales under their belt.
Not to mention, through one of the biggest and most established developer marketplaces in the world. It’s suddenly become a very difficult to know where you can ever draw the line between sites you trust and sites you don’t trust to do business through. If even Themeforest is no longer a safe environment in which you can purchase software products you can be confident are safe to use, where can you?
Trust No One?
The worst part is this virus can’t be picked up via a normal antivirus, the code was placed inside the content.xml which is perfectly safe to read via a standard notepad. It’s only when the data from the xml file is imported into the sites database and becomes active that it becomes a risk, so unless you have linux/apache antivirus scanning the files during the upload process, it’s very likely you wouldn’t find out until it was too late.
Massive Dynamic, it’s developer PixFlow and by proxy Themeforest themselves have suffered a serious breach of security, quality control and consumers trust. It’s almost certain this malicious code is laying dormant on thousands of websites. Potentially jeopardising the safety and privacy of any online businesses and consumers that have been unlucky enough to let this slip by them.
Do you think they should get some sort of repercussions and potentially face liability for any damages caused by their software?
I almost feel like I’ve fallen into some major cyber scandal, because the more I run it through in my head more I have trouble believing no one found this within minutes, the fact that a security breach this big just fell through the cracks, I simply can’t accept at face value, so that being said, I honestly feel it’s a reasonable question to ask…
Intentional or Incompetence?
If you can design something as sophisticated as massive dynamic, you’re not incompetent by any stretch of the imagination, so how is it even possible to miss 20,000 lines of spam hiding in the content file of one of your demo installs? For at least 3 months, maybe a lot longer, I’m curious to find out just how long this has been going on for.
I plan to contact Themeforest and its parent company to present the evidence I have found and hope that Pixflow are dealt with harshly. Personally I think this is seriously newsworthy. If you agree, share this and name and shame PixFlow.