I’ve just released WordPoints 2.0.1. This update contains some very minor security hardening, so all users are encouraged to update as soon as possible.
The details of the security-related changes in this release are complex, so I won’t try to explain them fully here. In essence, the code was using the MD5 hashing algorithm in three places. This hashing algorithm is not cryptographically safe, and should be avoided in new projects. In none of these three locations was cryptographic security required. However, I’ve decided to stop using MD5 at all in the plugin code. The main reason for doing this is to provide a good example for other developers, who may not be aware of the potential dangers of MD5 in cryptographic applications.
One of these three locations in the code was not security related at all. For an attacker to exploit either of the other two, he would have to be very determined, and at least a little bit lucky. If his attack was successful, all he would be able to do is view some points logs, or a list of installed modules. Very minor disclosures indeed!
Because these changes are only very minor security hardening, and aren’t actually vulnerability fixes, I considered waiting and including them in the next release. But I decided to release a security update now instead, so that the user can decide how soon they want to upgrade, rather than deciding that for them. This is just another step in the effort to go above and beyond, especially when it comes to security.