Serious WordPress issue exposes users to hijacking even if 2FA is enabled

Unencrypted cookies leave WordPress accounts exposed to hijacking on insecure networks, even if the two-factor authentication is enabled.

WordPress administrators must be aware that it is quite easy for hackers to hijack their web site if they login from the same WI-Fi connection (e.g. From a public place) even if it is protected by two-factor authentication, .

The alarming discovery was made by Yan Zhu, a staff technologist at the Electronic Frontier Foundation, which noticed that WordPress servers doesn’t protect a key browser cookie transferring it in plain text.

As explained in her blog post, Zhu has stolen the cookie just after a successful login, than she has visited the WordPress from a fresh browser and she have bypassed the authentication process, even though she had enabled two-factor authentication.

Every time a user successfully login in the WordPress instance, the cookie maintains track of the access with tag “wordpress_logged_in” that is set once the user has entered valid WordPress credentials, pilfered cookie will remain valid for three years even if the legitimate user logs out of the account before then.

 

The possession of the cookie allows users to be authenticated to the Dashboard section of WordPress platform which gives to the logged account administrative privileged.

Zhu demonstrated that using the stolen cookie is possible to change the e-mail address of the account and set-up two-factor authentication feature.

“ subsequently found that the insecure cookie could be used to set someone’s 2fac auth device if they hadn’t set it, thereby locking them out of their account. If someone has set up 2fac already, the attacker can still bypass login auth by cookie stealing – the 2fac auth cookie is also sent over plaintext. ” said Zhu.

A hacker who share same Wi-Fi connection of victims exploiting the vulnerability could lock out the legitimate.

“When the legitimate user tried to access the account, the attempt would fail, since the one-time passcode would be sent to a number controlled by the attacker.” reported ArsTechnica.

As reported by Zhu in the blog post, Andrew Nacin of WordPress has informed her that authentication cookies will be invalidated after a session ends in the next WordPress release and that SSL support on WordPress will be soon improved.

Andrew Nacin also confirmed that the exploitation of the flaw doesn’t allow attackers to change passwords because the operation requires a separate authentication cookie tagged “wordpress_sec,” containing the “secure” flag that causes it to be sent encrypted.

Waiting for a fix is users should avoid logging in on unsecured networks, particular concern is for ISPs snooping, their operators exploiting the flaw could intercept the unencrypted cookie impersonating vulnerable users.

(Security Affairs –  WordPress, hacking)