Categories: HackingSecurity

Serious WordPress issue exposes users to hijacking even if 2FA is enabled

Unencrypted cookies leave WordPress accounts exposed to hijacking on insecure networks, even if the two-factor authentication is enabled.

WordPress administrators must be aware that it is quite easy for hackers to hijack their web site if they login from the same WI-Fi connection (e.g. From a public place) even if it is protected by two-factor authentication, .

The alarming discovery was made by Yan Zhu, a staff technologist at the Electronic Frontier Foundation, which noticed that WordPress servers doesn’t protect a key browser cookie transferring it in plain text.

As explained in her blog post, Zhu has stolen the cookie just after a successful login, than she has visited the WordPress from a fresh browser and she have bypassed the authentication process, even though she had enabled two-factor authentication.

Every time a user successfully login in the WordPress instance, the cookie maintains track of the access with tag “wordpress_logged_in” that is set once the user has entered valid WordPress credentials, pilfered cookie will remain valid for three years even if the legitimate user logs out of the account before then.

 

The possession of the cookie allows users to be authenticated to the Dashboard section of WordPress platform which gives to the logged account administrative privileged.

Zhu demonstrated that using the stolen cookie is possible to change the e-mail address of the account and set-up two-factor authentication feature.

 subsequently found that the insecure cookie could be used to set someone’s 2fac auth device if they hadn’t set it, thereby locking them out of their account. If someone has set up 2fac already, the attacker can still bypass login auth by cookie stealing – the 2fac auth cookie is also sent over plaintext. said Zhu.

A hacker who share same Wi-Fi connection of victims exploiting the vulnerability could lock out the legitimate.

“When the legitimate user tried to access the account, the attempt would fail, since the one-time passcode would be sent to a number controlled by the attacker.” reported ArsTechnica.

As reported by Zhu in the blog post, Andrew Nacin of WordPress has informed her that authentication cookies will be invalidated after a session ends in the next WordPress release and that SSL support on WordPress will be soon improved.

Andrew Nacin also confirmed that the exploitation of the flaw doesn’t allow attackers to change passwords because the operation requires a separate authentication cookie tagged “wordpress_sec,” containing the “secure” flag that causes it to be sent encrypted.

Waiting for a fix is users should avoid logging in on unsecured networks, particular concern is for ISPs snooping, their operators exploiting the flaw could intercept the unencrypted cookie impersonating vulnerable users.

(Security Affairs –  WordPress, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

11 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

15 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

20 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

23 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.