Serious backdoor vulnerability located in popular YouTube plugin for Joomla

Yesterday, the Watchful team identified a security vulnerability in a moderately popular and free Joomla add-on, the YouTube Joomla Plugin.

This plugin made it easy to embed YouTube videos in Joomla articles.

Unfortunately, the installation files available from the official plugin website included a malicious script or backdoor. The details on how this happened or who was responsible for inserting the backdoor into the installer are not yet clear.

This vulnerabilty is known to exist in the wild and although dangerous, appears to be have used primarily to insert backlinks into unsuspecting websites sites when crawled by specific search engines as you can see in this decoded sample.

How did you find this?

Finding software vulnerabilities and preventing further damage is a group effort in the Joomla community. 

Much credit goes to the following people who helped find this exploit and limit the damage:

  • Chad Windnagle (@drmmr763) for snooping out the clues.
  • Watchful's own Jeff Channel (@jeffchannell) for finding the exploit.
  • Phil Taylor (@blueflameit) for reporting the backdoor to the company hosting the website (the site was taken offline very quickly).
  • Ronni Christiansen (@redwebdk) and Tessa Merro (@TessaMero) for working together to remove the plugin from the Joomla Extensions Directory. 

 Is the website still distributing it?

No, the website was taken down by the hosting provider.

How can I check if I am using the plugin? 

In the Joomla backend, look for conent plugins with the name YouTube Joomla Plugin.

If you have multiple sites, speak to your IT department or hosting provider and have them search all your servers/accounts for either plg_content_youtube or plg_content_youtubeplugin. Be sure to search both the filesystem and database.

If your sites are Watchful-enhanced, you can also search for the plugin name from the Watchful dashboard.

I use that plugin, what should I do?

If you use the YouTube Joomla Plugin, there are three recommend number of remedies:

  1. Update the plugins to fixed versions lacking the backdoor. Sign-up below to receive the patched installers via email. 

  2. Uninstall the plugin from the Joomla backend and replace it with an alternative like OSYouTube.

Note that the Youtube Joomla Plugin — even with the backdoor removed — is no longer recommended on production websites as it uses deprecated PHP functions and appears to have no active development. 

Fixing many sites with the Watchful remote installer

If you need to patch multiple Watchful-enhanced sites, you can use the patched installers below to apply the fix to all of the sites at once  using the remote installer

Patched Installers

If you decide to keep the plugin on your existing site, the easiest thing to do is to re-install the plugin using a patched installer.

Simply complete the form below and after confirming your email address, the patched installers will be sent to you via email.

YouTube Backdoor signup

* indicates required