People actually accept executable, possibly backdoored code and/or assets from random-internet-site-freelancers – then install it on their production sites _without_ security auditing it?
(I know - I _shouldn't_ be surprised, I suspect significant double-digit percentages of WordPress sites have themes installed which have some mysterious "<!-- Don't remove this! required for mobile menu to work! --> <?php echo eval(base_64_decode('foobazbah')) ?> type thing in footer.php…)
Most people I know who have used odesk/elance simply don't have the ability to perform an audit.
They are mostly writers, photographers, non-technical entrepreneurs and so on who have outsourced some development tasks related to their online activities. They personally have no ability to assess the code apart from how it looks in the front end. They could hire a second person to do the audit for them but now they have two people to worry about getting screwed by...
People actually accept executable, possibly backdoored code and/or assets from random-internet-site-freelancers – then install it on their production sites _without_ security auditing it?
(I know - I _shouldn't_ be surprised, I suspect significant double-digit percentages of WordPress sites have themes installed which have some mysterious "<!-- Don't remove this! required for mobile menu to work! --> <?php echo eval(base_64_decode('foobazbah')) ?> type thing in footer.php…)