NEWS
OptinMonster Vulnerability Affects +1 Million Sites
WordPress security researchers reported that a flaw in the OptinMonster WordPress plugin was found to allow hackers to upload malicious scripts to attack site visitors and lead to full site takeovers. Failure to perform a basic security check exposes over a million sites to potential hacking events.
Lack of REST-API Endpoint Capability Checking
This vulnerability isn’t due to hackers being really smart and finding a clever way to exploit a perfectly coded WordPress plugin. Quite the opposite.
According to security researchers at popular WordPress security company Wordfence, the exploit was due to a failure in the WordPress REST-API implementation in the OptinMonster WordPress plugin which resulted in “insufficient capability checking.”
When properly coded, REST-API is a secure method to extend WordPress functionality by allowing plugins and themes to interact with a WordPress site for managing and publishing content. It allows a plugin or theme to interact directly with the website database without compromising security… if properly coded.
The WordPress REST-API documentation states:
“…the most important thing to understand about the API is that it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
The WordPress REST-API is supposed to be secure.
Unfortunately, all websites using OptinMonster had their security compromised because of how OptinMonster implemented the WordPress REST-API.
Majority of REST-API Endpoints Compromised
REST-API endpoints are URLs that represent the posts and pages on a WordPress site that a plugin or theme can modify and manipulate.
But according to Wordfence, almost every single REST-API endpoint in OptinMonster was improperly coded, compromising website security.
Wordfence slammed OptinMonster’s REST-API implementation:
“…the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.
…nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions.”
Unauthenticated means an attacker that isn’t registered in any way with the website being attacked.
Some vulnerabilities require an attacker to be registered as a subscriber or contributor, which makes it a little harder to attack a site, especially if a site doesn’t accept subscriber registrations.
This vulnerability had no such barrier at all, no authentication was necessary to exploit OptinMonster, which is a worst-case scenario compared to authenticated exploits.
Wordfence warned about how bad an attack on a website using OptinMonster could be:
“…any unauthenticated attacker could add malicious JavaScript to a site running OptinMonster, which could ultimately lead to site visitors being redirected to external malicious domains and sites being completely taken over in the event that JavaScript was added to inject new administrative user accounts or overwrite plugin code with a webshell to gain backdoor access to a site.”
Recommended Course of Action
Wordfence notified the publishers of OptinMonster and about ten days later released an updated version of the OptinMonster that plugged all of the security holes.
The most secure version of OptinMonster is version 2.6.5.
Wordfence recommends that all users of the OptinMonster update their plugin:
“We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.6.5 at the time of this publication.”
WordPress offers documentation on best practices for REST-API and asserts that it is a secure technology.
So if these kinds of security issues aren’t supposed to occur, why do they keep on happening?
The WordPress documentation on best practices for the REST-API states:
“…it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
With over a million sites affected by this vulnerability one has to wonder why, if best practices exist, this kind of vulnerability happened on the highly popular OptinMonster plugin.
While this isn’t the fault of WordPress itself, this kind of thing does reflect negatively on the entire WordPress ecosystem.
Citation
Read the Report About OptinMonster at Wordfence
1,000,000 Sites Affected by OptinMonster Vulnerabilities
NEWS
OpenAI Introduces Fine-Tuning for GPT-4 and Enabling Customized AI Models
OpenAI has today announced the release of fine-tuning capabilities for its flagship GPT-4 large language model, marking a significant milestone in the AI landscape. This new functionality empowers developers to create tailored versions of GPT-4 to suit specialized use cases, enhancing the model’s utility across various industries.
Fine-tuning has long been a desired feature for developers who require more control over AI behavior, and with this update, OpenAI delivers on that demand. The ability to fine-tune GPT-4 allows businesses and developers to refine the model’s responses to better align with specific requirements, whether for customer service, content generation, technical support, or other unique applications.
Why Fine-Tuning Matters
GPT-4 is a very flexible model that can handle many different tasks. However, some businesses and developers need more specialized AI that matches their specific language, style, and needs. Fine-tuning helps with this by letting them adjust GPT-4 using custom data. For example, companies can train a fine-tuned model to keep a consistent brand tone or focus on industry-specific language.
Fine-tuning also offers improvements in areas like response accuracy and context comprehension. For use cases where nuanced understanding or specialized knowledge is crucial, this can be a game-changer. Models can be taught to better grasp intricate details, improving their effectiveness in sectors such as legal analysis, medical advice, or technical writing.
Key Features of GPT-4 Fine-Tuning
The fine-tuning process leverages OpenAI’s established tools, but now it is optimized for GPT-4’s advanced architecture. Notable features include:
- Enhanced Customization: Developers can precisely influence the model’s behavior and knowledge base.
- Consistency in Output: Fine-tuned models can be made to maintain consistent formatting, tone, or responses, essential for professional applications.
- Higher Efficiency: Compared to training models from scratch, fine-tuning GPT-4 allows organizations to deploy sophisticated AI with reduced time and computational cost.
Additionally, OpenAI has emphasized ease of use with this feature. The fine-tuning workflow is designed to be accessible even to teams with limited AI experience, reducing barriers to customization. For more advanced users, OpenAI provides granular control options to achieve highly specialized outputs.
Implications for the Future
The launch of fine-tuning capabilities for GPT-4 signals a broader shift toward more user-centric AI development. As businesses increasingly adopt AI, the demand for models that can cater to specific business needs, without compromising on performance, will continue to grow. OpenAI’s move positions GPT-4 as a flexible and adaptable tool that can be refined to deliver optimal value in any given scenario.
By offering fine-tuning, OpenAI not only enhances GPT-4’s appeal but also reinforces the model’s role as a leading AI solution across diverse sectors. From startups seeking to automate niche tasks to large enterprises looking to scale intelligent systems, GPT-4’s fine-tuning capability provides a powerful resource for driving innovation.
OpenAI announced that fine-tuning GPT-4o will cost $25 for every million tokens used during training. After the model is set up, it will cost $3.75 per million input tokens and $15 per million output tokens. To help developers get started, OpenAI is offering 1 million free training tokens per day for GPT-4o and 2 million free tokens per day for GPT-4o mini until September 23. This makes it easier for developers to try out the fine-tuning service.
As AI continues to evolve, OpenAI’s focus on customization and adaptability with GPT-4 represents a critical step in making advanced AI accessible, scalable, and more aligned with real-world applications. This new capability is expected to accelerate the adoption of AI across industries, creating a new wave of AI-driven solutions tailored to specific challenges and opportunities.
This Week in Search News: Simple and Easy-to-Read Update
Here’s what happened in the world of Google and search engines this week:
1. Google’s June 2024 Spam Update
Google finished rolling out its June 2024 spam update over a period of seven days. This update aims to reduce spammy content in search results.
2. Changes to Google Search Interface
Google has removed the continuous scroll feature for search results. Instead, it’s back to the old system of pages.
3. New Features and Tests
- Link Cards: Google is testing link cards at the top of AI-generated overviews.
- Health Overviews: There are more AI-generated health overviews showing up in search results.
- Local Panels: Google is testing AI overviews in local information panels.
4. Search Rankings and Quality
- Improving Rankings: Google said it can improve its search ranking system but will only do so on a large scale.
- Measuring Quality: Google’s Elizabeth Tucker shared how they measure search quality.
5. Advice for Content Creators
- Brand Names in Reviews: Google advises not to avoid mentioning brand names in review content.
- Fixing 404 Pages: Google explained when it’s important to fix 404 error pages.
6. New Search Features in Google Chrome
Google Chrome for mobile devices has added several new search features to enhance user experience.
7. New Tests and Features in Google Search
- Credit Card Widget: Google is testing a new widget for credit card information in search results.
- Sliding Search Results: When making a new search query, the results might slide to the right.
8. Bing’s New Feature
Bing is now using AI to write “People Also Ask” questions in search results.
9. Local Search Ranking Factors
Menu items and popular times might be factors that influence local search rankings on Google.
10. Google Ads Updates
- Query Matching and Brand Controls: Google Ads updated its query matching and brand controls, and advertisers are happy with these changes.
- Lead Credits: Google will automate lead credits for Local Service Ads. Google says this is a good change, but some advertisers are worried.
- tROAS Insights Box: Google Ads is testing a new insights box for tROAS (Target Return on Ad Spend) in Performance Max and Standard Shopping campaigns.
- WordPress Tag Code: There is a new conversion code for Google Ads on WordPress sites.
These updates highlight how Google and other search engines are continuously evolving to improve user experience and provide better advertising tools.
Facebook Faces Yet Another Outage: Platform Encounters Technical Issues Again
Uppdated: It seems that today’s issues with Facebook haven’t affected as many users as the last time. A smaller group of people appears to be impacted this time around, which is a relief compared to the larger incident before. Nevertheless, it’s still frustrating for those affected, and hopefully, the issues will be resolved soon by the Facebook team.
Facebook had another problem today (March 20, 2024). According to Downdetector, a website that shows when other websites are not working, many people had trouble using Facebook.
This isn’t the first time Facebook has had issues. Just a little while ago, there was another problem that stopped people from using the site. Today, when people tried to use Facebook, it didn’t work like it should. People couldn’t see their friends’ posts, and sometimes the website wouldn’t even load.
Downdetector, which watches out for problems on websites, showed that lots of people were having trouble with Facebook. People from all over the world said they couldn’t use the site, and they were not happy about it.
When websites like Facebook have problems, it affects a lot of people. It’s not just about not being able to see posts or chat with friends. It can also impact businesses that use Facebook to reach customers.
Since Facebook owns Messenger and Instagram, the problems with Facebook also meant that people had trouble using these apps. It made the situation even more frustrating for many users, who rely on these apps to stay connected with others.
During this recent problem, one thing is obvious: the internet is always changing, and even big websites like Facebook can have problems. While people wait for Facebook to fix the issue, it shows us how easily things online can go wrong. It’s a good reminder that we should have backup plans for staying connected online, just in case something like this happens again.
-
WORDPRESS5 days ago
WordPress biz Automattic details WP Engine deal demands • The Register
-
SEARCHENGINES7 days ago
Daily Search Forum Recap: September 30, 2024
-
SEARCHENGINES6 days ago
Daily Search Forum Recap: October 1, 2024
-
SEARCHENGINES5 days ago
Programming Note: Rosh Hashanah 5785
-
SEO6 days ago
Bing Expands Generative Search Capabilities For Complex Queries
-
WORDPRESS6 days ago
How to Easily Add Snapchat Pixel for WooCommerce in WordPress
-
SEARCHENGINES4 days ago
Daily Search Forum Recap: October 3, 2024
-
WORDPRESS6 days ago
How to Create A Website to Sell Products In 8 Steps [+6 Expert Tips]
You must be logged in to post a comment Login