MBuilder - Premium Email Builder Extension For Mailwizz

We have already fixed it and we got aware of such a hole by our customers only i thought this hole was in our latest version which is not yet publicly released, Our developer will test it first thing in the morning and we will provide a patch right after that, request you guys to disable Mbuilder for now to prevent him from hacking it again.

Thanks, Apologies for the inconvenience.
 
@Jatin Sahani Apparently the support section of mBuilder gives away too much info. The hacker is obviously an mBuilder user if not even the developer. A large portion of the mBuilder code is obfuscated, a technique similar to malware. I get a notification every time someone creates a support ticket. I can view the profile of the user. In the profile I can see website where mBuilder is installed as well as license key. All attacker needs is a customer account to access mbuilder and upload the payload. He already has a list of all mailwizz installations running mBuilder from the support section.

Thanks for the info on our support system, we never got any customer feedback that he/she is getting all the info of other users via new tickets. We will investigate this bug/issues also, tomorrow first thing in the morning.

Thanks once again.
 
We have already fixed it and we got aware of such a hole by our customers only i thought this hole was in our latest version which is not yet publicly released, Our developer will test it first thing in the morning and we will provide a patch right after that, request you guys to disable Mbuilder for now to prevent him from hacking it again.

Thanks, Apologies for the inconvenience.

You sure?

@Jatin Sahani - should know about this since it was a security issue in mbuilder where the files were not checked at uploads.
I also provided guidance in how to fix the given security error, which is very serious.
He should have fixed it by now and notify all customers, since again, that's a serious thing.
 
@Jatin Sahani - should know about this since it was a security issue in mbuilder where the files were not checked at uploads.
I also provided guidance in how to fix the given security error, which is very serious.
He should have fixed it by now and notify all customers, since again, that's a serious thing.

Thanks buddy, yes we fixed it but i thought this was there in our new latest version which we haven't even released publicly. We will release the patch tomorrow for sure, Guys again i will request you to disable the Mbuilder extension for now. Also if you need help in getting back into your backend let me know via PM.

Thanks
 
You sure?
Yes, but this was with our latest version which is not publicly released, none the less we will release the patch tomorrow for sure, as its 12+am at the moment and my developer will test it once more and release the patch for all our customers.

Thanks.
 
Yes, but this was with our latest version which is not publicly released, none the less we will release the patch tomorrow for sure, as its 12+am at the moment and my developer will test it once more and release the patch for all our customers.

Thanks.

What date did he inform you?
 
What date did he inform you?
As i told you above, i personally contact twisted for the latest version which is NOT released. He reviewed the code and told me about this issue, which my developer fixed but we haven't even released this version till now. Well now we have to release it for all our customers.

Also this hacker is well trained i assume as we don't know yet how he got all the details of our customers and there mw installations.
We are not strong at hacking protection please lets not create a scene here now, even big companies get hacked all the time, i understand the issue at hand as its very late here i personally can't do anything until tomorrow once i reach office, as i will push my developer to test this hole once more and review the code once more and then we will push the patch tomorrow only.

I can provide steps via PM to any one who got hacked and needs to get back into his backend panel. Also again i will request all our customers to disable the extension for now and change the backend passwords and Database passwords as well.

Thanks
 
It is also important to check that the attacker did not leave traces of the backdoor used in the attack. I had to do a comprehensive scan of the entire website and found the php file that orchestrated the attack. I used Gravity Scan for that. Also looking at the notifications at mbuilder support i realized that Roldan Thalia created a support ticket same day he performed the attack. Which means @Jatin Sahani has his details. Why not inform the devs about the vulnerability? Why go ahead and do the exploit?
 
As i told you above, i personally contact twisted for the latest version which is NOT released. He reviewed the code and told me about this issue, which my developer fixed but we haven't even released this version till now. Well now we have to release it for all our customers.

Also this hacker is well trained i assume as we don't know yet how he got all the details of our customers and there mw installations.
We are not strong at hacking protection please lets not create a scene here now, even big companies get hacked all the time, i understand the issue at hand as its very late here i personally can't do anything until tomorrow once i reach office, as i will push my developer to test this hole once more and review the code once more and then we will push the patch tomorrow only.

I can provide steps via PM to any one who got hacked and needs to get back into his backend panel. Also again i will request all our customers to disable the extension for now and change the backend passwords and Database passwords as well.

Thanks

Yes but when did he tell you? I'm sure @twisted1919 will confirm the date.

The problem is you've been sitting on a security issue which you said was fixed but failed to roll it out. Why? You say because its on a new version but surely when you know about a HUGE security issue which has compromised many MailWizz customers who have purchased your plugin and possibly had all their data stolen that you would do an updated release of the CURRENT version straight away with the fixed security issue.

If the hacker was able to upload a PHP File Manager which is what iv read then that means he's been able to access ALL files on the domain including viewing Config settings for MySQL. So all the hacker needed to do was remotely connect to the database and download/steal all the data or if that didnt work due to Remote MySQL Security settings then create a simple PHP script to export all the data and upload it using the file manager he uploaded in the first place.

You cant just sit there knowing about a security issue and say "Right ok so we've had the issue fixed, but i tell you what, we wont issue an update on the current version, we'll wait until the new version is fully ready and HOPE that no one notices the security issue".

With you saying your not strong at hacking protection makes me never want to trust (especially now) your plugins. I mean I can code in PHP and if i was to ever make a plugin like this which involves people uploading files i dont understand how you didnt code it so no harmful files can be uploaded such as PHP files and code it so only files such as jpg, jpeg, gif, png are accepted. I understand theres security issues with some big web based programs including WordPress but the thing that gets me is how could this have been coded in a way to allow ANY file to be uploaded, and the time its taken to release a patch to fix the issue.

we haven't even released this version till now

Makes me think if all this didnt come to light how much longer people would of had to wait in order to patch the security issue....

All this could have avoided if you just released an update for the current version with the fix.
 
We have released the update via our backend for all our existing customers. Which includes fix for that security hole also.

Thanks
 
Hello, I think that security problems like these are normal, the thing is that Mbuilder developers who are going to start doing so that this does not happen again, expect response from them.
 
@Jatin Sahani I still receive email notification for support tickets created by other users. Please fix your support platform. It gives away too much information.

Yes we have already created a new support system, and we are launching our extension on envato now, we have already submitted to codecanyon. So in few days times you won't receive any email from our current support centre.

Thanks for reporting again.

This is how our new support looks like now :-
uB3vZ4n.png
 
Last edited:
Hi @Allante Johnson and @Jatin Sahani ,

You are still developing and selling mBuilder? Or maybe they're on vacation in the Caribbean?

I bought a license two days ago. I have received NOTHING. I have sent you several emails, written from the contact form of your website, from your web chat,... And I don't receive a reply!

Do you guys have a problem? I don't understand a customer service that bad.
 
Hi @Allante Johnson and @Jatin Sahani ,

You are still developing and selling mBuilder? Or maybe they're on vacation in the Caribbean?

I bought a license two days ago. I have received NOTHING. I have sent you several emails, written from the contact form of your website, from your web chat,... And I don't receive a reply!

Do you guys have a problem? I don't understand a customer service that bad.

Hi unfortunately the Caribbean island was hit by a huge hurricane so i dont believe anybody is on vacation there.

Let me check for your license, Have you already opened a ticket? w

we have a new support system we will be launching very soon.
 
Back
Top