RSS

WordPress Accounts Vulnerable

02 Jun

Anyone who logs into their WordPress account from public WiFi should take note that the user authentication cookies used for logging in are not encrypted and are easily hijacked by anyone looking to steal information. More importantly, this method of hijacking cookies manages to circumvent two-stage authentication. A technologist at the Electronic Frontier Foundation, Yan Zhu, noticed the ‘wordpress_logged_in’ cookie being sent over regular HTTP while looking for a bug report. She then grabbed the cookie to examine it and discovered that WordPress does not encrypt cookies as required for good security practices. The cookie can then be copied and pasted to any other browser to gain access to the victim’s WordPress account. Fortunately the security flaw does not allow hijackers to change passwords; as that information is stored within a different – and more secure – cookie. It, however, does allow others to read private messages, post new blog entries, view blog stats, and comment on other posts as the original user. The WordPress cookie does not even expire after the user logs out, instead lasting for what Zhu notes is three years. Although, she admits that she has no idea how long it takes for the cookie to expire on the server side. WordPress admits that it is aware of the issue, and will fix it with the next release. Until then, users should be extra careful to avoid logging in over public WiFi. Although, it has been pointed out that the issue does not affect WordPress sites using HTTPS.

 
Leave a comment

Posted by on June 2, 2014 in Web Social

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s