YOP Poll WordPress Plugin And Base64

Today while running a speed test at tools.pingdom.com  for one of the sites that I have been working on, something strange happened. There were many strange image files that were getting loaded. (Picture below)

base64 files

base64 files found

So what is the problem?

Not only that, the name associated with the files was my biggest concern – “base64”, which is a well know malware that have been known on many WordPress sites.

Now, base64 by itself means something else, but any base64 that have been associated with WordPress that I have came across are nothing but trouble.

 

Now what to do?

So the first thing I did was heading to mySQL and search for “base64” and found bunch of posts that as expected were hacked. Within these posts, there were links created and linking to pictures that had nothing to do with the site. For example, take a look at the picture below.

base64 image found on the site

base64 image found on the site

After cleaning most of the data fields that contained base64, I came across to a file that belong to a plugin that was installed on February 13th, 2014, which happened to be little before those infected posts were created. “That seemed strange and what a co-incidence……” I thought….

yop-poll base64 infection

yop-poll base64 infection

So, what to do next?

Well, since there is a support forum for the plugin, I thought why not ask the guy who made it, then the following answer came back.

Hi digitalreadymarketing,

The file encodes in base64 some of the messages sent to the server.

Best wishes,

YOP Team

base64 answer

base64 answer

 

Not a satisfactory answer. Even if that is what the Java Script suppose to do, there are still so many elements that makes this very fishy. For example, the plugin Author has only created one plugin and despite the popularity, the author’s website has no content at all what so ever! In fact, there are just fake content to fill up the site.

yop poll wordpress page

yop poll wordpress page

 

top poll author

top poll author

 

www.yop-poll.com

www.yop-poll.com

 

As you might know, Expedia got in to a trouble by hiring a marketing firm that created a free WordPress theme that had a link back to Expedia’s site. (There was a very well written case study about this in case you are interested)

So, maybe someone is doing the same tactic with this plugin and generating all kinds of links?

What do you think? Is this what I think it is?

1 reply
  1. YOP Team
    YOP Team says:

    Hi,

    While we do understand your concerns, having these issues after you installed our plugin is only a coincidence.

    We do use base64encode in our plugin but it has no connection with the base64 malware.

    Allow us to explain exactly how it works: we use the jquerybase64encode.js library only when in the poll’s settings “Vote as WordPress User” is set to “Yes”.

    When the user clicks on the Vote button, if he is not logged in WordPress we encode the poll’s data using base64encode and the user will see a pop up that asks him to log in first. After he logs in, we take that information, decode it and process the vote.

    jQuery.base64, that we use to preserve data integrity is not a malware, but a class developed with that specific purpose – basically it’s a tool we use to transfer data regarding users’ votes.

    If you look in its file (yop-poll-jquery.base64.min.js) you will find both the script and information about the developer of this tool.

    In regards to our website and the fact that this is the first plugin we created, well…we had to start somewhere. The website came in second and it’s still under construction. In the past year we focused all of our efforts into developing this plugin and constantly improving it and the fact that we have tens of thousands of downloads and 5* reviews encourage us to continue our work.

    Regards,

    YOP Team

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *