Yesterday, the Watchful team identified a security vulnerability in a moderately popular and free Joomla add-on, the YouTube Joomla Plugin.
This plugin made it easy to embed YouTube videos in Joomla articles.
Unfortunately, the installation files available from the official plugin website included a malicious script or backdoor. The details on how this happened or who was responsible for inserting the backdoor into the installer are not yet clear.
This vulnerabilty is known to exist in the wild and although dangerous, appears to be have used primarily to insert backlinks into unsuspecting websites sites when crawled by specific search engines as you can see in this decoded sample.
How did you find this?
Finding software vulnerabilities and preventing further damage is a group effort in the Joomla community.
Much credit goes to the following people who helped find this exploit and limit the damage:
- Chad Windnagle (@drmmr763) for snooping out the clues.
- Watchful’s own Jeff Channel (@jeffchannell) for finding the exploit.
- Phil Taylor (@blueflameit) for reporting the backdoor to the company hosting the website (the site was taken offline very quickly).
- Ronni Christiansen (@redwebdk) and Tessa Merro (@TessaMero) for working together to remove the plugin from the Joomla Extensions Directory.
Is the website still distributing it?
No, the website was taken down by the hosting provider.
How can I check if I am using the plugin?
In the Joomla backend, look for conent plugins with the name YouTube Joomla Plugin.
If you have multiple sites, speak to your IT department or hosting provider and have them search all your servers/accounts for either plg_content_youtubeor plg_content_youtubeplugin. Be sure to search both the filesystem and database.
If your sites are Watchful-enhanced, you can also search for the plugin name from the Watchful dashboard.
I use that plugin, what should I do?
If you use the YouTube Joomla Plugin:
- Uninstall the plugin from the Joomla backend
- Replace it with an alternative like OSYouTube.
Note that the Youtube Joomla Plugin — even with the backdoor removed — is no longer recommended on production websites as it uses deprecated PHP functions and appears to have no active development.
Fixing many sites with Watchful remote installer
You can use search feature in the Watchful dashboard to locate any sites with the YouTube Joomla Plugin. You’ll have to log into each site to remove the plugin.
You can then use the remote installer to install a replacement like OSYouTube.