Cookies flaw lets hackers steal WordPress accounts

A researcher at the Electronic Frontier Foundation (EFF) says that blogs hosted on WordPress can be hacked when connected to public Wi-Fi, even if two-factor authentication is employed.

Cookies flaw lets hackers steal WordPress accounts
Cookies flaw lets hackers steal WordPress accounts

EFF technologist Yan Zhu stumbled upon the vulnerability when looking for privacy options and instead found that WordPress sends the browser cookie in plaintext over HTTP, rather than encrypted as is recommended.

Investigating further she logged out of her WordPress account, copied the “wordpress_logged_in” cookie into a fresh browser profile, and visited the http://wordpress.com/ from a new browser profile. She managed to log in with this information alone, despite not entering her log-in credentials and even having two-factor authentication set by default.  

If that isn't bad enough, Zhu added that the cookie isn't invalidated when the original user logs out or back in – instead it doesn't expire for three years.

Once logged in, Zhu was able to see private posts, comment on other blogs as the user (which in this case, was her own account) and see blog statistics.

“Moral of the story: don't visit a WordPress site while logged into your account on an untrusted local network,” she wrote on her blog.

Three days later – on Sunday – she added that the insecure cookie could also be used by the hacker to set-up two-factor authentication, essentially locking out the end user from their account.

“I subsequently found that the insecure cookie could be used to set someone's two-factor authentication device if they hadn't set it, thereby locking them out of their account. If someone has set up two-factor already, the attacker can still bypass login auth by cookie stealing – the two-factor authentication cookie is also sent over plaintext”.

WordPress developer Andrew Nacin confirmed on Twitter that authentication cookies aren't invalidated after a session immediately ends but says that this will be rectified in the next WordPress release. SSL support will also to improve in future versions of the blogging software.

Errata Security CEO Robert David Graham blogged that this is one of many WordPress security flaws, with others including the log-in page being served by HTTP and the configuration being built on the decade-old LAMP which doesn't scale.

“The upshot is this: WordPress is fundamentally broken in every way something can be broken. There's no way to secure it. There's no way to make it fast enough without spending a lot of money. If you are starting a new project, do not under any circumstances use WordPress. If you are stuck with WordPress, well, then, it sucks to be you, I know of no way to help you.”

Andrew Kellett, the principal security analyst at Ovum, told SCMagazineUK.com that WordPress had taken the necessary steps to remediate the issue, but said that because it was picked up by a third-party the company would be pushed into a “fire-fighting exercise” in order to deal with the fallout and necessary fixes.

“It looks like yet another example of a longstanding vulnerability coming to light within a commonly used software product/software service,” he told SCMagazineUK.com.

“From what I can see it looks as though WordPress are looking to address the issue with a patch release and have put out an advisory on the vulnerability issues. That all seems to follow expectations in terms of expected remediation, albeit the responsibility then moves to the user community to ensure that the patching gets implemented and updates done.”

Meanwhile, a spokesperson from MWR InfoSecurity said that businesses should protect their cookies so that they're only transmitted over a safe, encrypted connection.

"Businesses can help avoid hijacking attacks by protecting their cookies with the secure flag so they're only transmitted over an encrypted connection, and by configuring web servers to only serve content over HTTPS," said the spokesperson, who wished to remain anonymous.

"Web servers can also be configured with a Strict Transport Security HTTP header to prevent falling back to HTTP even if an attacker is in a position to man-in-the-middle users with tools like SSLStrip. Businesses can proactively prevent themselves from being affected by these types of issues by performing application security testing as part of their overall approach to information security. Testing would identify these types of vulnerability and allow the security model of the site or application to be altered or the issues resolved."