Jetpack Social Sharing feature exploited to send thousands of spam messages

I submitted this problem to the Jetpack “Contact Support” page, but I wanted to provide additional information, just in case others encountered this issue before a patch is released.

This morning I had time to confirm the problem mentioned above on a local test server.

The problem is, indeed, the Email sharing button. However, the problem is not immediately evident if a user is logged into the site. When a user (or bot) is not logged in, the Email button has a “Your Name” and “Your Email Address” field, in addition to the “Send to Email Address” field.

There is no apparent character limit on the “Your Name” field. A spammer could use that field to pre-pend an entire email message to the “[Your Email Address] thinks you may be interested in the following post:” part of the message.

Also there does not appear to be a throttle on the amount of times this form can be used, which means that it might be used in a mass email spam attack or, potentially, a DDOS attack.

Hi Michael,

Thanks for contacing us about this. I see that you also contacted us by email and that my colleague replied asking for the logs, so I’ll mark this one as resolved, and we’ll see what we can do to prevent both issues from happening again.

Richard,

Sorry, but it seems that this issue has NOT been resolved with “Sharing” on Jetpack when “Email” sharing is enabled. The user reporting it to you above (Michael) is running the current versions of both WordPress 3.8.1 and Jetpack 2.9.2. I did not see a fix or solution listed. Therefore it does not seem like this issue is “resolved” quite yet, unless you know something that we do not. I have seen this exact issue occur. I think the only way to avoid it right now, is to go into “Settings” -> “Sharing” -> “Configure” and then drag-n-drop the “Email” icon from “Enabled Services” into the “Available Services” area under the “Sharing Buttons” section.

Is the Jetpack team aware of this vulnerability as revealed in this article: https://fossforce.com/2014/03/wordpress-jetpack-sharing-plugin-exploited-by-spammers/

If so, please let us know and when they estimate to have a fix or upgrade to Jetpack to prevent this issue.

Thank you so much for your help.

David:

Yes. Disable Email as a sharing service, and the problem is fixed.

We’re investigating the best way to prevent spammers from taking advantage of this when it is enabled, but haven’t yet come to a consensus. If we were to implement some sort of rate limiting per hour based on IP or the like, then it could still be leveraged by botnets. It’s a difficult situation, and if you’re not comfortable with your server sending out emails at the behest of a user, just disable the Email sharing service.

Cheers,

George Stephanis
Team Lead
Jetpack Pit Crew

Also, here’s a GitHub thread — feel free to post suggestions there, and patches are of course, as always, welcome. ??

https://github.com/Automattic/jetpack/issues/448

think the only way to avoid it right now, is to go into “Settings” -> “Sharing” -> “Configure” and then drag-n-drop the “Email” icon from “Enabled Services” into the “Available Services” area under the “Sharing Buttons” section.

Another alternative would be to add reCaptcha to the email sharing buttons, as explained here:
https://jetpack.me/2013/04/15/recaptcha-email-sharing-button/

That should stop the spammers on your site.