[wp-hackers] Hookd? Sketchy Plugin Include

Otto otto at ottodestruct.com
Wed Sep 14 01:03:45 UTC 2011

Well, the site itself is down, but Google has a cache of the text, at
least: http://webcache.googleusercontent.com/search?q=cache:TN9eReW6ak0J:hookd.org/+hookd&hl=en&gl=us&strip=1

"hookd is a free plugin management and analytics package for widgets
and plugins. the system runs totally platform independent and allows
you to provide easy to maintain hooks for your plugins, one such use
can be dynamic code updates and automatic rollbacks which are not
currently easily implemented otherwise.
hookd also acts as a plugin analytics system, it will track your
activations per day, deactivations per day, total running sites, usage
figures and much more."

Yeah. This is not allowed in the repository. We consider it to be
"unauthorized collection of user data". Not to mention that when the
site it's contacting goes down, the plugin and the sites trying to
call it stop working.

Bottom line: No making hits to any third party site, for any reason,
without the user's informed, or obvious, consent.

For example, it's fine for a Facebook plugin to make calls to
Facebook, as that's rather obvious. A user activating such a plugin
would expect that to happen. It's not okay for a "Hit Counter" plugin
to be contacting a plugin analytics site (without a checkbox to allow
the user to consent to it).

The plugin has been de-listed, and the author will be contacted
shortly. But next time, email plugins at wordpress.org first.


On Tue, Sep 13, 2011 at 5:28 PM, Jackson Whelan <jw at jacksonwhelan.com> wrote:
> Howdy,
> Trying to help someone in the forums complaining about a plugin
> (http://wordpress.org/extend/plugins/hit-counter-ultimate/) causing their
> site to crawl, and stumbled across this included file which looks like it
> could be used for great malfeasance.
>  http://plugins.svn.wordpress.org/hit-counter-ultimate/trunk/class.resource.php
> Makes calls to hookd.org and requests actions and filters to be added.
> Creates a world-writable directory while it's at it as well.
> Is anyone familiar with hookd.org? Am I paranoid for thinking this is
> dubious?
> As a bonus the plugin emails the author with the URL of the site it was
> activated on, with no user consent or knowledge.
>    http://plugins.svn.wordpress.org/hit-counter-ultimate/trunk/image.php
> Which would make sense as it would allow them to fine tune the junk they
> deploy.
> I found this related post in the forums from a year ago.
>    http://wordpress.org/support/topic/my-site-hacked?replies=14
> I've already emailed plugins at wordpress.org, but thought I'd ask if anyone
> here was aware of this.
> No comment on hit counters being used in 2011, but if you'd like to step
> into the wayback machine just look at the screenshots : )
> Thanks! Jackson
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list