The security threats are growing exponentially with technology evolution day by day. Even though tech giants are also facing the security breach. The first week of May Google released the patch for Google SIte Kit without displaying any notice of the security flaw on the Site Kit plugin. The Wordfense is declared that “Major vulnerability found on the Google Site Kit plugin”.
What is Site kit plugin?
The Site Kit is an official plugin of Google, which can be used for viewing the stats in WordPress admin panel itself. There are several products from google that are integrated into this plugin, such as Search Console, Analytics, AdSense, Page Speed Insights, Tag Manager, etc.
A threat has been identified by a team of researchers from Wordfense and reported that there is a major vulnerability in Site Kit ( version 1.8.0) , which affects over 400,000+ active WordPress installations.
The Wordfense also announced the effect of this vulnerability, where any authenticated user can become the Google search console owner, while not considering the ownership of the user.
By considering the importance of the issue, they submitted a detailed report to Google for updating the plugin at the next moment.
If the search console access will get the attacker then the person can remove site map, SERPs pages, or can drive a massive black hat campaign through other accounts.
Also they set up the ProxySetupUrl for the existing Wordfense customers. The report filed on 21 April and google released the patch for this threat is on 07 May 2020.
According to WordFence vulnerability researcher Chloe Chamberland:
“Connecting two systems, like a WordPress site and Google’s site ownership tools, always comes with some degree of risk. Ensuring the integration between both systems is secured is critically important. When companies like Google have an easy-to-find vulnerability disclosure policy in place, it helps researchers get fixes out quickly to end-users. As space matures, we’re seeing more developers publishing clear Vulnerability Disclosure Policies, but more needs to be done to ensure that security researchers and developers can quickly connect and make the web safer for us all. “
The Chance escalation will give any non-administrative user on the site to access the sensitive data in Google Search console. A particular user will be a subscriber or any attached user not meant as an administrative user, can exploit the chance of flaw through the Site Kit plugin by Google.
That leads the affected website will be blacklisted by playing with competitive data from the search console. It also leads to the ranking of the site becoming at stake, another chance to request the URLto remove from the search engine itself.
How to protect your site from this attack?
The site’s user ownership can be identified by checking the users in the console. The attackers might have added the user for his future monitoring. The below video can be direct you, to check additional user was added.
Major vulnerability found on the Google Site Kit plugin is explained by Wordfense.
The GitHub changelog not confirming the vulnerability has been resolved. Only they mentioned as “This release includes security fixes. An update is strongly recommended.”
The Google Site Kit’s news center also not pointing to the breach identified and not stated about the patch they released.
It is highly advised to update your Google site kit plugin and check your Search console data to ensure any malfunction that did not occur. Also it is advisable to maintain all the plugin in the latest version and remove the unused plugin from the admin panel.
Spread love by sharing this article in social media!! ?
Subscribe for our latest Newsletters