I pen this mini-tome on “GDPR Enforcement Day”. The spirit of GDPR is great, but it’s just going to be another Potempkin Village in most organizations much like PCI or SOX. For now, the only thing GDPR has done is made GDPR consulting companies rich, increased the use of javascript on web sites so they can pop-up useless banners we keep telling users not to click on and increase the size of email messages to include mandatory postscripts (that should really be at the beginning of the message, but, hey, faux privacy is faux privacy).
Those are just a few of the “unintended consequences” of GDPR. Just like Let’s Encrypt & “HTTPS Everywhere” turned into “Let’s Enable Criminals and Hurt Real People With Successful Phishing Attacks”, GDPR is going to cause a great deal of downstream issues that either the designers never thought of or decided — in their infinite, superior wisdom — were completely acceptable to make themselves feel better.
Today’s installment of “GDPR Unintended Consequences” is WordPress.
WordPress “powers” a substantial part of the internet. As such, it is a perma-target of attackers.
Since the GDPR Intelligentsia provided a far-too-long lead-time on both the inaugural and mandated enforcement dates for GDPR and also created far more confusion with the regulations than clarity, WordPress owners are flocking to “single button install” solutions to make them magically GDPR compliant (#protip
that’s not “a thing”). Here’s a short list of plugins and active installation counts (no links since I’m not going to encourage attack surface expansion):
- WP GDPR Compliance : 50,000+ active installs
- GDPR : 10,000+ active installs
- The GDPR Framework : 6,000+ installs
- GDPR Cookie Compliance : 10,000+ active installs
- GDPR Cookie Consent : 200,000+ active installs
- WP GDPR : 4,000 active installs
- Cookiebot | GDPR Compliant Cookie Consent and Notice : 10,000+ active installations
- GDPR Tools : 500+ active installs
- Surbma — GDPR Proof Cookies : 400+ installs
- Social Media Share Buttons & Social Sharing Icons (which “enhanced” GDPR compatibility) : 100,000+ active installs
- iubenda Cookie Solution for GDPR : 10,000+ active installs
- Cookie Consent : 100,000+ active installs
I’m somewhat confident that a fraction of those publishers follow secure coding guidelines (it may be a small fraction). But, if I was an attacker, I’d be poking pretty hard at a few of those with six-figure installs to see if I could find a usable exploit.
GDPR just gave attackers a huge footprint of homogeneous resources to attempt at-scale exploits. They will very likely succeed (over-and-over-and-over again). This means that GDPR just increased the likelihood of losing your data privacy…the complete opposite of the intent of the regulation.
There are more unintended consequences and I’ll pepper the blog with them as the year and pain progresses.
2 Comments
Would love to read something about that part!
Oh, the Let’s Encrypt Intelligentsia Strike Force dislikes it when folks point out that they enabled malicious folks to get green trusted lock icons for sketch web sites and now riff off of wildcard domains to create really effective phishing sites. They’re zealots who cared not for interim harm for a long-term goal. Still trying to figure out who made them our internet gods.
2 Trackbacks/Pingbacks
[…] *** This is a Security Bloggers Network syndicated blog from rud.is authored by hrbrmstr. Read the original post at: https://rud.is/b/2018/05/24/gdpr-unintended-consequences-part-1-increasing-wordpress-blog-exposure/ […]
[…] *** This is a Security Bloggers Network syndicated blog from rud.is authored by hrbrmstr. Read the original post at: https://rud.is/b/2018/05/24/gdpr-unintended-consequences-part-1-increasing-wordpress-blog-exposure/ […]