Printed from http://www.electronista.com

Wordpress login cookies unencrypted, vulnerable to easy hijacking

updated 04:26 pm EDT, Wed May 28, 2014

Technologist warns not to use Wordpress.com over unsecure networks

A staff technologist for the Electronic Frontier Foundation has stumbled across a cookie that Wordpress.com uses to transmit login credentials in plain text to the authentication endpoint, leaving sites open to simple hijacking attempts. Yan Zhu posted about the discovery, detailing the information about how the information in the cookie could be used to access another's site if intercepted.

The cookie contains a tag labeled "wordpress_logged_in" that is set once a user logs into Wordpress. Once the login is successful the cookie is set to an expiration in three years, even if a user logs out of the system. If the cookie is snagged by someone over an unsecured network, they can control certain aspects of the blog and privileges of Wordpress.com.

Even though this type tag in a cookie is common, there is a larger problem because it is sent in plain text rather than utilizing any sort of encryption. This makes the process of getting into a blog easier since a malicious person can use the cookie on their own without much hassle. They only need to paste the cookie into a new browser profile. This leaves Wordpress.com users two options to invalidate the cookie, either wait three years or change the account password.

Luckily someone hijacking the account won't be able to change the password on the account with the cookie, but there are a number of other things that can be seen and done. Of the actions, several are ones that could be undone, like creating new posts and entire blog sites that could be created or posting in comments under the captured login. Others, like the ability to activate two-factor authentication if it isn't already active on the account, pose a larger problem of getting access back.

Even though the problem seems to be related to Wordpress.com account, it doesn't mean that self-hosted Wordpress sites are excluded from the problem. It is recommended that these sites are on servers that use SSL, with Wordpress set to auth flag "secure" for the cookies. Zhu recommends that Wordpress.com users refrain from logging in on unsecured, untrusted networks until Wordpress has a fix in place.

Zhu was contacted by Andrew Nacin of Wordpress after cluing the company in on the problem. Nacin said that the auth cookies would be invalidated when a session ends in the next Wordpress release. The company is also looking to improve SSL support.




By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Logitech Hyperion Fury mouse

Selecting the correct gaming mouse comes down to finding a device that balances the needs of a user with a price they can afford. Ofte ...

Life n Soul BM211 Bluetooth speaker

Bluetooth speakers aren't only for listening to some music at the park or on a long bus ride, but can also be built with tablets in mi ...

Epson PowerLite Home Cinema 2030 projector

With high-definition televisions now the standard, 4K televisions becoming the next big thing, and plasma TVs going the way of the din ...

Sponsor

toggle

Most Commented

 
toggle

Popular News