Popular WordPress platform Flywheel vulnerable to subdomain takeover, researcher claims
A subdomain takeover vulnerability in a popular WordPress hosting platform could allow an attacker to deploy malicious code to a victim by impersonating a legitimate website, a security researcher claims.
The alleged security flaw was discovered in Flywheel, a platform that offers WordPress hosting and related services.
A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain, usually when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.
“This can happen because either a virtual host hasn’t been published yet or a virtual host has been removed,” Ahmed Elmalky, who discovered the issue.
In a recent blog post, Elmalky claimed he was able to exploit the vulnerability by finding a page that was hosted by Flywheel but wasn’t set up correctly.
He subscribed to Flywheel for $15, created a site, and linked it to the vulnerable subdomain, thus taking it over.
In order to protect against this simple but potentially damaging attack, end users should audit available DNS records and make sure they are aware of how exactly they are used and what type of services or applications are managed on them, Elmalky said.
A spokesperson for WP Engine, of which Flywheel is a part of, said: “We have reviewed all of the posted information, both in the… article and the linked researchers’ articles, and believe this is an artifact of customer-managed DNS records on any platform with a shared IP space, not just Flywheel.
“In other words, though the researchers call out Flywheel, the issue is not specific to Flywheel, nor does Flywheel manage customer domain records.
“On the responsible disclosure front, we are unclear as to whether the researchers notified anyone, given that we have both a public vulnerability disclosure program and an abuse email address that is closely monitored by multiple teams.”
Source: Popular WordPress platform Flywheel vulnerable to subdomain takeover, researcher claims
Google Ads not serving fully on Gmail
Google Ads are not serving to all Gmail users, specific to Gmail users on desktop browsers. Google confirmed the issue in the Google Ads status dashboard over here.
What is the issue. Google said the issue is around Google Ads not being served, and thus the ads not being displayed, to users who use the desktop version of Gmail, Google’s email service.
When did it start. The issue started yesterday, December 23rd, at around 2pm ET or 7:01 PM UTC.
When will it be resolved. Google has not given us an estimated time for the issue to be resolved but the company promised to provide an update by Dec 25, 2021, 2:00 AM UTC “detailing when we expect to resolve the problem,” the company said.
Why we care. If you are running Google Ads for Gmail users, then you may see a dip in the number of ads being served. This is a known issue that Google is working to resolve.
Source: Google Ads not serving fully on Gmail
Multiple State of the Word Attendees Test Positive for COVID-19
Matt Mullenweg’s 2021 State of the Word address was held in New York City nine days ago with a live studio audience. On Sunday, December 19, all in-person attendees were notified by email that they were possibly exposed to COVID-19 after one of the attendees tested positive.
Although proof of vaccination was required at the door, multiple people have reported recent infections after traveling home from the event. Aaron Jorbin tweeted about his case today, and four more have been reported in a private channel on Post Status Slack.
There’s no way to know for certain whether the attendees who contracted COVID-19 caught the virus at the State of the Word, as many of them traveled from far away places and had meetups with other attendees outside of the main event.
Concerns about the lack of masks and no requirement for rapid tests began popping up prior to the event. From the perspective of viewing the livestream, masks were scant and attendees were quite close together in a small space.
The day before the event, the WHO warned that evidence suggested the new Omicron variant could escape prior immunity and would lead to surges with a high transmission rate. Studies were already showing reduced effectiveness of existing vaccines against the variant. On December 13, New York governor Kathy Hochul announced a new temporary indoor mask mandate for public spaces, which could be bypassed by requiring vaccines for entrance.
When asked how the State of the Word’s coordinators decided on the precautions, WordPress Executive Director Josepha Haden Chomphosy said the event met the local guidelines while allowing attendees to make their own choices for anything beyond the requirements.
Source: Multiple State of the Word Attendees Test Positive for COVID-19
WordPress 5.9 Beta 4 Fixes 20 Bugs, Polishes Workflow for Switching to a Block Theme
WordPress 5.9 beta 4 was released this week with fixes for 20 bugs since beta 3. There are a few important changes to note in this release regarding how the WordPress admin will direct users who are exploring block themes.
Prior to a fix in beta 4, it was possible for users to switch to a block theme within the Customizer. This has been changed so that users will see a banner notifying them that the block theme is incompatible, if they try to switch within the Customizer. Here’s the commit message:
“Starting in 5.9, block themes are not compatible with (do not support) Customizer; rather, they use the Site Editor. Viewing installed themes in Customizer, this commit adds an overlay message to alert users and give them a way to activate the block theme. Clicking on the “Activate” button activates the block theme and redirects back to the Appearance > Themes interface, where the user can then enter the Site Editor for customization.
Non-block themes are not affected by this change and continue to work in Customizer.”
Source: WordPress 5.9 Beta 4 Fixes 20 Bugs, Polishes Workflow for Switching to a Block Theme
Google punches itself in the face by discontinuing the Pixel Slate
Imagine, if you will, a runner five miles into a marathon. At this stage they would have barely started, covering just 20% of the overall distance. Now picture that person stopping mid-stride and punching themselves in the face over and over again until they cascade into unconsciousness.
That runner, friends, is Google.
To sprinkle some context on the tale of self-pugilation: Google has discontinued its flagship tablet, the Pixel Slate. 9to5 Google noticed the tablet — which was launched in 2018 — was no longer listed on the company’s website. The Pixel Slate is dead.
Google discontinuing a product or service isn’t much of a surprise, I mean, there are websites solely dedicated to keeping track of all the things the company has prematurely shuttered.
But the Pixel Slate is a big loss, both to Google and the public at large.
Before we go on, a short disclaimer.
We’ve reached out to Google for a comment and more clarification, but we’re working under the assumption that the company has shifted completely out of selling tablets, rather than readying for a next model. Not only has it half-announced this, the decision is also backed by logic: why would Google remove all traces of the hardware from its site if it was planning to launch something else?
In other words, Google’s tablet aspirations are dead.
But why are you a sadboy about the Pixel Slate?
Simply put, it’s because Google had the potential to make a fantastic, competitive, and affordable machine.
Over the past year, I got bang into tablets again — something I attribute to my time with iPad Pro. Long story short, I now get what tablets are for. I understand their value. And, alongside that, I recognize the importance of competition.
The iPad has long been the dominant tablet across the world and there’s little that’s truly challenging it. Yes, the Samsung Galaxy Tab and Amazon Fire HD are popular and solid devices, but they can’t really match Apple when it comes to quality, usability, and interoperability
But I believe Google could.
Let’s take its Pixel phones as an example. I’ve written before that the company found its sweet spot with the budget-focused “a” series of handsets. These thrive by eschewing the idea of competing as a premium brand — instead making affordable devices that use the cleanest version of Android and perform seamlessly as part of the overall Google ecosystem. In fact, the company seems to have taken this onboard, as with the Pixel 5 it actually removed some features the previous model had, as well as dropping the price.
And you know what? It was one of the best phones of 2020.
This is the approach I would’ve loved Google to take with the Pixel Slate. The original tablet wasn’t perfect — far from it, in fact. Although it was a gorgeous machine, it was overpriced compared to its competitors and it wasn’t entirely clear who it was aimed at.
Source: Google punches itself in the face by discontinuing the Pixel Slate