WordPress Plug-In – TweetBacks “Considered Harmful”

When_Tweetbacks_Attack I’ve recently installed the WordPress Plug-in called “TweetBacks” on  two of my sites, to see how it goes.  Those two sites are those I promote highly on Twitter .  The first is this blog, about Small Business Internet Marketing , the other is a blog about How to Twitter .

What is TweetBacks WordPress Plug-In?

The TweetBack plug-in automatically picks up conversations when people Twitter about your particular WordPress blog post and inserts each tweet as a comment in your blog.

It was working out pretty nicely for a while.  I even recommended TweetBacks to members of my inner circle, but then I noticed some very strange things only happening on this blog.

Suddenly, when I looked at the “Review Comments” console, I saw gobs and gobs of comments (~2,000) in many in different languages tweeting links to this this URL:


None of the links to that URL had anywhere near the same copy in the Tweet, obviously they were just trying to scam any and everyone in the world to visit the URL.  Perhaps it loads malware or something, and the spammer isn’t terribly picky about how to prey on their next victim.

I immediately went to Google to see if anyone else has suffered from a similar malady .  Maybe there was some sort of confusion with my specific URL or something, right?  Well, I found enough blog posts about the issue for me to conclude that this was a widespread problem.  It became obvious to me that the right course of action was…

My Recommendation

  1. Immediately Deactivate then uninstall the TweetBacks WordPress Plug-in
  2. To get rid of the offending Tweets/Comments, execute the following SQL if you have access to a SQL tool (or ask your hired-gun nerdfolk to do this for you):

    FROM wp_comments
    WHERE wp_comments.comment_content LIKE

  3. Help anyone else you see suffering from this by pointing them here.

Post Script:  (The Developer Responds)

Since sharing with the world, via Twitter, my recommendation to uninstall the TweetBacks WordPress plug-in , several interesting things have happened.

  1. The author of the script, @jdevalk replied to me through Twitter, telling me that I have no idea what I’m talking about, and that the “right way” to handle this undesired behaviour is to talk to the developer first.

While I respect his right to his opinion, I beg to differ with his prescribed method of resolution.  I believe that the proper way to handle any threat such as this is to

  • immediately deal with the situation at hand,
  • prevent further attack, then
  • determine if there was any malice involved before making any personal accusations (which I have not).
  • The spammy URL that was previously filling my blog comments no longer links to anything through http://bit.ly – I assume that there will be some other link in the future that will be blanketed across blogs in the future.  So, don’t expect that the link will always be the “1BOWLu ” link above, look out for any similarly meaningless tripe linking to the site du jour.
  • Post-Post Script:  (United Against Spam!)

    I have been working with Joost de Valk (@jdevalk) to iron out the exact cause of the issue.  He does seem like a rather nice guy , and is earnestly digging into the bug which has caused this unfortunate situation.  I look forward to being able to use this plug-in again.

    After I have used it for a while and have greater comfort that we’ve bulletproofed the application and that you will not be adversely affected by any further bugs, I will happily share with you the results of our joint effort to combat the spammers .


    #1 Taryn Pisaneschi on 02.05.09 at 5:53 am

    Daiv, you make some fantastic points.

    “The author of the script, @jdevalk replied to me through Twitter, telling me that I have no idea what I’m talking about, and that the “right way” to counter this behaviour is to talk to the developer first. ”

    It’s always fascinating when people try to counter an experience like the one you had, especially with your technical background, with an ignorant response. You actually helped them out by providing a remedy. In my world, that minimally deserves an apology and a thank you.

    – TarynP

    #2 Trey (1 comments.) on 02.05.09 at 7:14 am

    Wow – I got lucky and read this JUST before I installed this plugin. I had it downloaded this morning but hadn’t gotten around to setting it up.

    And now it’s in the Trash. Thanks, Daiv!

    #3 Kyle Reddoch (6 comments.) on 02.05.09 at 7:17 am

    I have recently installed this plugin as well. I have yet to see on spammy cases on my site, but now I am on the lookout for any instances.

    Thanks for the heads up bud!

    #4 James Stratford (1 comments.) on 02.05.09 at 7:19 am

    Thanks for the heads up and it’s a shame that it happened. It’s time to see If that ones installed on my site and if it is then it’s damage control time.

    The way the hackers/spammers utilize security flaws is outrageous!

    #5 deLeon (1 comments.) on 02.05.09 at 7:24 am

    Thanks. I really appreciate and will heed your warning. Tweetback is outta here.

    #6 Julian Lockhart (2 comments.) on 02.05.09 at 7:33 am

    I agree with your taking the offending script down. Even tweeting your issues. BUT . . .

    I’m not so sure about this post. It seems as if you are being punitive. You are inferring that he is somehow culpable. Have you determined if there is any malice involved?

    Yoast seems like a “decent” fellow. He has many other plugins for wordpress. http://www.yoast.com in his website.

    I believe he not willing to drag his rep in the mud to spam in this way.

    #7 Daiv Russell (10 comments.) on 02.05.09 at 7:42 am

    I, in no way, claimed that the author was specifically responsible. I don’t know who the author is, nor do I specifically, care who the author of the TweetBacks plug-in is. Perhaps telling Yoast, himself, about the problems with his plug-in will provide more direct value to him than attempting to defend him, when I’ve not attacked him. I’ve made no accusations that the author of TweetBacks is intentionally malicious. What I have blogged is all a completely accurate account of my experience. I’m sorry if this type of factual account and my resultant professional recommendation strikes a bad chord with you. I’m glad that Yoast has created a great impression on you and makes you feel that he would not do such a thing, intentionally. I have no previous experience with him or his products and think that my advice is sound, regardless of how wonderful a person he may be.

    #8 AWonder (2 comments.) on 02.05.09 at 8:30 am

    Thanks for the heads up, Daiv! I’ll be on the lookout for weird happenings.

    #9 Shannon Grissom (1 comments.) on 02.05.09 at 8:40 am

    Great blog! Thanks for the heads up. You saved this new tweeter a lot of trouble.

    #10 Julian Lockhart (2 comments.) on 02.05.09 at 8:42 am

    Daiv – Your professional recommendation does not strike a bad chord with me. It’s your delivery. My opinion is that the tone of your post implies culpability and I feel that it is punitive.

    I would hope that you would care about this when an author is providing free code for you to use.

    #11 Lisa Johnson (1 comments.) on 02.05.09 at 9:23 am

    As a business owner your first and foremost priority is always to defend the business. While talking to the developer might create upgrades overtime. Your issue was immediate and had to dealt with. As you do this for a living it’s a big deal! You did the right thing. A shop owner wouldn’t talk to his alarm company if he saw a thief taking something from his store. He’d go after the thief!

    #12 David Rosen (1 comments.) on 02.05.09 at 9:42 am

    Great information about tweetbacks and whomever chose the graphic for this story is a genius!! 😉

    #13 Matt Bovell (1 comments.) on 02.05.09 at 10:14 am

    Dave, the main thrust of your article is right on the money. It’s analogous to a medical emergency. You first stop the bleeding, stabilize the patient and then figure out what went wrong and by whom.

    If any software is acting maliciously (regardless of the intent of the developer), remove it and ask questions later.

    #14 Mily on 02.05.09 at 11:18 am

    Maybe you should put a link to the download site so we know which one you are talking about since there are multiple plugins called TweetBacks.

    Also, I don’t think the author did this on purpose. It is open source software and just like WordPress open to vulnerabilities.

    Put a blank index file in your plugins folder and rename your plugin and it’s likely people from China won’t find it.

    #15 Scott Allen (2 comments.) on 02.05.09 at 11:56 am

    I really don’t think you should have posted this before contacting Joost and giving him ample time to respond. As a fellow plugin developer, I can say it’s bad practice to post a security flaw (even if it was legit, which I’m not convinced) for all the world to see before giving the developer a chance to fix. By all means take it down from your site if you feel it’s causing a problem. When you make a post like this, it seems more like you’re trying to get attention. Joost is a very well-known and talented plugin developer, and if you bring something like this to his attention, he would investigate and fix quickly if there was truly a problem. However, I’m not convinced based on your post that there really is a problem with the plugin.

    #16 Concerned on 02.05.09 at 1:05 pm

    I should have said something this morning when I saw this terrible post. I’m going to now. For the record, I’m not a developer. I use WP and tons of plugins, some good, some bad, and some downright ugly.

    Joost is absolutely right. You were out of line. You should have contacted him before blasting your guess as to the problem in the plugin for the world to see.

    You made a conclusion based on other blog posts? Made by other people who were also wrong about the cause? Interesting.

    “I believe that the proper way to handle any threat such as this is to

    * immediately deal with the situation at hand,
    * prevent further attack, then
    * determine if there was any malice involved before making any personal accusations (which I have not).”

    You missed one: “attack the plugin and by association, its author–or any of them, who cares which author wrote which plugin–on my blog, thus causing unneeded damage and panic among other WPers.”

    You made a sweeping claim that Tweetbacks was bad and had a spam backdoor. Any digging on Google would have told you that there are several versions of this plugin–and even which versions were indeed the ones affected. Did you even compare? Or just assume?

    You were right to deactivate the plugin first. I have the plugin, and nothing’s gone wrong for me yet.

    But you need to do some research before making such generalizations about the plugin.

    This statement: “I don’t know who the author is, nor do I specifically, care who the author of the TweetBacks plug-in is.” shows complete ignorance on your part. It’s akin to spreading gossip without even questioning the source. If you cared at all, you’d know that there are several instances of Tweetbacks.

    You need to care who the author is. Especially if you deal in WP often. There are developers who do this every day, who build reputations on it. And plugins are made by human beings. Sometimes there are bugs. Sometimes–gasp–they conflict with other plugins you have installed. Sometimes they even break blogs. That’s the chance you take. But you don’t jump all over the web–send the developer a note, and leave a post in the WP forums where their plugin is located.

    Developers count on people to tell them these things, rather than blasting them on the webs, to find out about them and fix the issues. How would you feel if, instead of leaving this comment, I simply went onto MY blog and told the world what a lousy writer you were with factless statements?

    This statement is also one of ignorance: “I have no previous experience with him or his products and think that my advice is sound, regardless of how wonderful a person he may be.” That shows you right there why your post is out of line. Joost is very well-known and held in high regard in the WP world. You don’t get that rep by making spam plugins. Being a nice guy has nothing to do with it.

    Again, a little research would have shown you it wasn’t a spam issue, but a twitter interaction error that collected tweets incorrectly. And lookie there, you’ve already got an update with the ACTUAL cause and problem of the plugin, which is, my my, not spam after all.

    Perhaps your goal was more about quick traffic than factual writing. No snarky replies are needed. I already know I won’t be back.

    #17 Dr. Gianmichael Salvato (1 comments.) on 02.05.09 at 1:37 pm

    Thanks, Daiv. I think it’s patently ABSURD that anyone suggest that you were being “punitive”. Like it or not, when the author of a plug-in releases a plug-in with vulnerabilities, they are culpable for the vulnerability.

    There was nothing malicious or unprofessional about your post. You provide a valuable b2b service and I’m certain I am not the only one who hopes you’ll continue, undaunted.

    — Gianmichael
    @gianmichael on twitter

    #18 Stephen (1 comments.) on 02.05.09 at 2:32 pm

    I am as befuddled as you and others at the response of the developer here.

    While I’m very happy that you’ve both made contact with one another and that this will likely be very productive, I can’t see how the average blogger – one who’s NOT a tech geek, in my case – would be obligated to track down the developer and start “talking tech” about the issues behind it. (I’m so low-tech, I use blogger, actually)

    As a consumer, I simply consume. The creator of a product is responsible for flaws in their products or services, and, on occasion, suffers bad publicity about it, as they surely did when you recommended NOT to install this particular version of the plug-in.

    The customer should never be made to feel that its his or her job to hunt down the developer and for THEM to apologize for a flaw in THEIR product.

    I think someone’s got that backwards if they feel otherwise.

    @nhprman on twitter

    #19 JenniferBhalaHansen (1 comments.) on 02.05.09 at 7:10 pm

    I was about to use tweetback. Not any more. Thanks for the warning

    #20 So Much More Than A Mom (1 comments.) on 02.05.09 at 7:17 pm

    I can’t even begin to imagine how anyone could take offense to anything in this post.

    #21 Kyle Reddoch (6 comments.) on 02.05.09 at 7:17 pm

    Okay, I have now uninstalled the Tweetback plugin for WP…

    Thanks for the advanced warning again!

    #22 Guillermo (1 comments.) on 02.06.09 at 11:40 am

    You did the right thing. I’ve been in the developer’s position before, and my initial response was
    similar to his; but the fact of the matter is this: This is the real world. If you were in a Ford, and your wheels came off without warning, you’d be within your rights to complain to the entire known world before even sending as much as a tweet to the company.
    Developers (again, myself included) want to be taken seriously, and want for their industry to be taken seriously, but many aren’t mature enough for the sort
    responsibility and scrutiny that comes with creating a product. So… don’t worry. Daiv still rawks.

    #23 Scott Allen (2 comments.) on 02.06.09 at 2:36 pm

    @Guillermo: If we were dealing with a car I would agree, but when there is a potential security issue, the procedure has to be different.

    By all means disable what you feel is the problem. You own the site, you are free to do as you please. But when dealing with a potential security flaw, you have to contact the developer first and give them a few days to investigate and if fix it if the problem is legit. By posting before doing that, you give unethical people several days head start to exploit the issue before the developer can fix it. This causes more problems because then a LOT more people can get exploited. I would say if the developer didn’t respond after a couple days (and you’ve made a thorough attempt to contact them), then by all means post about it. Otherwise the post should wait to come until the developer has had a fair chance to fix it.

    Like I said, security issues are different than other kinds of problems with web apps.

    #24 Sheila (1 comments.) on 02.17.09 at 1:43 pm

    First of All, Daiv, I love your blog. I don’t think you did anything wrong or punitive what your post, It’s FREE. Just like any product/service free or paid for, there are going to be good reviews and bad reviews.
    It’s your Blog and you can post anything you want. If you want to do a review on something you found faulty, why should you take YOUR time to call the developer. They should not have sent it out without first beta testing it with friends/family. My husband always beta test something before sending out to the world and we always go back to it and make sure it’s working properly even after it’s sent out to the world to use.

    I know that we have tried to contact a developer on a product/service that had a flaw and do you know that I spent “4” Freakin hours trying to get through to them, not to mention all the emails, Waste of my time to help someone out. So what ever!
    Can we say REVIEW and that is exactly what you did, you reviewed a product/service.
    They need to fix it and get over it.
    Just because of the smart asses that commented against you, I will NEVER use that plugin and I will let others know to not use it either.

    #25 Herb Stalk (1 comments.) on 02.17.09 at 9:33 pm

    Great catch! Probably saved a lot of people a lot of headaches

    #26 Cheri Sigmon, CISSP (1 comments.) on 03.08.09 at 11:58 pm

    Interesting thread… esp’ly this convo about “responsible disclosure.” As an information security professional, we discuss this often and we do have fiduciary and ethical responsibilities that an average “consumer” would NOT.

    Therefore, Dave has no obligation to discuss a perceived security vulnerability with the developer FIRST. He CAN if he wishes, but the 1st step is to *contain* potential risks.
    Hope it works out OK; plugins often equal attack vectors.