Today, we've been reading the news about how a user discovered the fact about free untrusted downloads.
In the article Warning! Don't download joomla extensions from untrusted websites!, Daniel describes how he downloaded, and installed an extension from an unknown author. Soon, he discovered that the source code has a hidden link.
Also, he tried to download again the module, to discover a different hidden link! So, the untrusted author's been not only surreptitiously adding links, also rotated the hidden links as a regular operation.
As Daniel notes, a hidden link is one way to get your site hacked. Also, the source code can have worst attack vectors. For example, accesing your site customers, user passwords, and social media accounts.
Now, the module's been reported and it is not anymore listed on the JED.
From Joomla's Security Checklist:
- Use the community: Don't forget the truism, "If a deal is too good to be true, it is." ...
As Daniel concludes "This goes to you too! Be careful where you download your next joomla extension!".