TimThumb Image Resizer and Website Security

TimThumb is no longer supported or maintained.
More information →

My friend Alex Denning recently asked me to write some bits about TimThumb for an article he was putting together.

The main purpose of TimThumb was to dynamically resize images on websites, making it easier for web developers to manage their content. Unfortunately it was vulnerable to hacking and many sites were infected because of it.

Shockingly, even today, there are still tens of thousands of sites out there using TimThumb, unknowingly putting themselves at risk.

Fortunately nobody has contacted me about it for a while now so I think use has reduced a lot, but as the article shows there are still a lot of sites using it.

My Memories of TimThumb

Anyway - Alex (or someone in his team) wrote the article which you can see here. The full text I wrote for Alex is below.

Back when we created TimThumb, WordPress didn’t have image thumbnails, so we saw it as a really cool way to enhance website aesthetics. We built it to include in our premium themes that we were about to release, but we didn’t anticipate its popularity. WordPress Theme Shops were still a new concept, so other theme shops like WooThemes bought our theme to use the image resizing script.

At the time, GitHub didn’t exist, so when we open-sourced it, we hosted it on Google Code. The first indication that something was wrong was when my own site was defaced. Someone had changed my footer to link somewhere else. Unsure of the cause, I reverted it and ensured everything was up to date. Fortunately, this was before hackers started introducing backdoors, so it didn’t happen again.

A couple of days later, reports emerged that TimThumb was hacked, and my heart sank. I felt super guilty and spent a lot of time over the next few days trying to make it more secure. Meanwhile, a developer named Mark Maunder was rewriting TimThumb to make it (hopefully) bulletproof, and Matt Mullenweg introduced us. We joined forces to release a more secure TimThumb that was backward-compatible.

Mark went on to found WordFence, a company focused on website security.

The vulnerability arose from a few different factors:

  1. I had allowed resizing of external images, which meant files from other websites could be loaded.
  2. I enabled data caching for those external files without performing any file type checks to ensure they were images, not code.

Besides feeling really bad about the damage I had caused, I learned a lot from this experience. Since it happened, I have been a lot less trusting of people online and have released a lot less code than I think I might have otherwise. In the projects I have been involved with, I have become very vigilant when it comes to data sanitization and ensuring it is as secure as possible.

Was it good/ useful/ a load of old rubbish? Let me know on Mastodon, or BlueSky (or Twitter X if you must).

Link to this page

Thanks for reading. I'd really appreciate it if you'd link to this page if you mention it in your newsletter or on your blog.

WordPress News

The latest WordPress updates from the WPBriefs Podcast.

Related Posts

12 Aug 2010

Using TimThumb Part 2: External Websites

Of all the TimThumb feature requests the most popular are being able to crop an image from a specified location, and being able to load images from external websites. Resizing images from external images was added at the start of...
06 Jul 2009

A Brief History of TimThumb

When we were building Mimbo Pro – Darren came up with the idea of automating the image thumbnail resizing – and this was the idea that sparked the development of TimThumb.This was all part of making the theme site as...
26 Jun 2014

New TimThumb Exploit Found

It’s been reported today that there is a new TimThumb exploit found. Unfortunately nobody told me about this before the exploit was announced – in fact I found out about the bug through wptavern.com so I haven’t been able to...
12 Aug 2011

TimThumb 2.0

Ok – so – TimThumb. I am sure many people have seen this already but some code exploits were recently discovered in TimThumb. Now that everything is under control once more I thought I would explain what happened and what...
11 Oct 2009

How to Make TimThumb Work With WordPress Multisite

TimThumb is a popular image resizing script that was created for Mimbo Pro – but it’s never worked properly with WordPress MU, so I wanted to change that.The reason it doesn’t work is quite simple. Because of the way WordPress...
27 May 2013

WordPress: 10 Years Young, What Does The Future Hold?

WordPress is now 10 years old. I started using wordpress 9 years ago – which means I joined the WordPress community early on. The reason I chose WordPress is simply because of the fabled 5 minute install process – I...