PSA: Vulnerability Disclosure 2020/09/17

Lukasz Erecinski Sep 17. 2020 33

PINE64 (both the business and the community around it) prides itself on transparency. Often, this transparency is used to give you a behind the scenes look into our operations. 

But today, we’re afraid we must be transparent about something else.

As of approximately 4:30am GMT on 2020/09/17, we discovered an intrusion to our Pine Store web instance. This took on the form of spam/scam pages hidden on our web server, with scripting to only be visible to crawler bots. After discovering this, we immediately shutdown the web server and began investigation.  

To our knowledge, this happened via an exploit in one of the WordPress plugins on the Pine Store, with initial attempts logged as early as 2020/09/05. It appears this was not an active malicious attack on our server, but merely automated bots tasked with placing scam store pages. 

Needless to say, we remedied the situation and took extensive steps to prevent similar incidents from occurring in the future. 

Due to the nature of the attacks we’ve reviewed, we do not suspect that customer information was a target, nor we expect any was exfiltrated. We can guarantee that, without a doubt, no credit card or other financial information was placed at any risk of being exposed. 

We hope that this event does not damage your trust in us beyond repair, as we work to recover from this event.

— Lukasz Erecinski, Community Manager

33 responses to “PSA: Vulnerability Disclosure 2020/09/17”

Your email address will not be published.

I accept the Privacy Policy

    Disclosing issues that might not look good for the company, in fact, boosts the trust as opposed to diminishing it. Transparency at its finest. Well, let them concentrate on what matters. I guess it’s fair to say we care abt their products and not the website:)

    The fact that this was caught, dealt with, and disclosed to the public so quickly is astonishing. This kind of clear and immediate disclosure to the public only strengthens Pine64’s excellent reputation in my eyes. Many companies could learn a lot by studying your incident response!

    Dude. I bought mine in June. I just got it like 3 days ago. They’re FOSS hardware. You expect prime 2 day shipping? Then buy a closed source flagship from Samsung or something.

    Please note the monthly updates where the was a mentin of issue with getting the display for the Pinebook Pro.

    Actually shipping was rather swift. But it tooks weeks before my pinebook was ready to ship. Once shipment started it was extremely fast.

    It would be beneficial to the developer community to know which plugin contained the vulnerability, so we can eliminate any weakness on our own sites.

    I agree with the others:
    1) Good job dealing with it.
    2) Thanks for the transparency.
    3) Please tell us which plugin was the attack vector.

    Richard Applegate,
    Different devices (and different target locations) have shipping requirements, and I think that at least some of the tracking (if not most or all of it) is triggered manually.
    I got notification of shipping for my PINE64-LTS within a couple of days, and then it took about 2 weeks for it to make it here.

    I placed a second order the same night for a Pinebook Pro, got that shipping notification about 2.5-3 weeks later, same day as the notification, I got a text from DHL to confirm whether I wanted to waive the signature requirement. three days later (and those 3 days were over a weekend), it was here.

    My RockPro64 was ordered about 2 weeks later, took 5 days to confirm shipment, and it’s been a week so far. I’m guessing it will arrive next week.

    Just keep this in mind, there appear to be different notification workflows (and quite possibly different factories/shippers) for different products. Seeing this contrast, I try not to worry too much. This isn’t a megaconglomerate with their own hangars/freight hubs at major logistics companies. It’s a tiny company running on a shoestring budget and there are people doing the best they can to notify us of different shipments using information from different parties, so they are not necessarily in control of that process aside from sending the information along when they get it.
    I don’t claim to be a special authority on this, but I have worked for small and large tech companies and am familiar with partner relationships – honestly, if I get gear from China less than a month after ordering, I am not worrying. At about 4 weeks/a month, I would reach out to ask what’s up and try to keep in mind that there can be unforeseen delays, and circumstances this year have hobbled development and order fulfillment.

    WordPress vulnerabilities, and I say this as someone who has supported public-facing systems for over 20 years, make me nervous. Like anything else, it is possible to stay on top of things, but it seems that WordPress is one of the primary online hacking targets.

    I’m guessing this was an exploit from a botnet or similar – I see tens if not hundreds of thousands of automated exploit/brute force attempts every day, and I watch over dozens of machines with limited public facing ports. a few hundred or so possibly seeing millions of the same attempts if I count customer on-premise appliances that I support and help manage. And that’s on a relatively small attack surface.

    WordPress hosts or provides code for loads of small businesses. Their vigilance, as well as that of small businesses, is very crucial, as is transparency and communication with WordPress and the community of people and businesses using it is important and commendable.

    Thanks for the heads up – I’ll still watch my credit cards, but I do that anyway – I’d much rather hear the news, good or bad than not.

    That you put this out in the open as fast as you have found out, makes me trust you more. Keep going on whit this humilty, you are defently doing an absolut fantastisk job. And thx to all who participate in makeing this community great.

    doesnt matter says:

    Thanks for fast incident response and transparency.
    Such situations are always an opportunity to further improve security strategies. E.g. I wonder if that vulnerability has been closed before the attack in the WordPress plugin and the patch just haven’t been installed. If so maybe it’s a good idea to register for some WordPress (or plugin) security newsletter to be always up to date and can act before an attack. Automatic updates could be considered, but of course there is the real world possibility of an update to break something.

    Just speculating here with best intentions.

    Good luck.

    Bardzo się cieszę, że jest informacja.
    Wydaje się, że zareagowaliście poprawnie. Jeśli pytanie brzmi czy bym kupił od was sprzęt? Tak kupiłbym i podał dane, ale na razie nie ma informacji o polskim sklepie. A bład jest w kodzie firm trzecich (wordpress) wiec plusy za reakcje , smuteczek , że to się dzieje.

    Pocieszam się, że to wynik coraz większej popularności idei i sprzętu. Sam się przyczyniam do reklamowania pine(*) czyli phone, book pro, lutownicy itd. Będzie dobrze co ma nie być.

    Harry Miktarian says:

    PS… that is an American “Thumbs up!” …which is a good thing. This is not a thumbs up from a country where a thumb up is a bad thing 🙂

    I was nervous half way through reading but a lot better once finishing getting through the post. Thanks for keeping the community updated. There are many companies out there that would just brush events like this under the rug and pretend nothing happened.

    Tony Widick says:

    Honestly, You are only one of a few companies that let people know they had been breached in such a short time. You even gave a time frame of when this all started. I trust you a lot more. I have never ordered a pine product, but recently was thinking of a pine phone as a daily driver. As long as calls and texts and HTML 5 work that is all i need for my personal phone besides privacy. I wish more companies could be like you.

    Yea, as long as you are using an outside payment entity (which I believe is Paypal?), that at least prevents them from tapping customer money accounts. But I do not recommend WordPress (nor their plugin’s or builds) anyway! Why use them? Just get an account with GoDaddy (or another like them) and build your own HTML/CSS pages. (DDG search: GoDaddy website security). Besides, if you build a Storefront on Amazon that would be awesome for sales and security!

    As for the Pine Phone, I’d like to see something more like a tablet with Data-only SIM capabilities. Forget the traditional phone’s voice/text setup. Why? Because nowadays more people are using Apps for communication, which uses WiFi or Data. This would simplify it considerably; it would be a back-pocket-sized Linux tablet with data-only SIM connectivity, along with WiFi & BT of course. (DDG search: Linux communication apps). Then, invest in the battery, like 5000mAh in size, and then, one (1) really good camera lens, and finally, an expandable micro SD card slot with up to a 1T capability. An onboard eMMC of 32GB would be more than enough for any Linux OS, its Apps, updates and so on. All personal data, music and pics would go onto the SD card by default.
    Just an FYI from Grey Geek!

Subscribe to the PINE64 blog