Unencrypted cookies make WordPress accounts vulnerable over open networks

People accessing the Internet over open WiFi networks are now vulnerable to having their WordPress webpage hijacked even with two-step authentication enabled. This new vulnerability was found by Yan Zhu, a staff technologist with the Electronic Frontier Foundation.

Zhu found that when accessing WordPress, the site sends a cookie in plain text rather than being encrypted. The cookie contains the tag "wordpress_logged_in," which means that if a person has this cookie, WordPress will allow the user into sections of the site that will allow them to modify blogs, snoop through private messages, and more. Due to WordPress leaving this cookie unencrypted, it could be easily intercepted.

To test this, Zhu took the cookie from her own account and copied it the same way an attacker would. It logged her in without having to enter any information and it even bypassed her two-step verification. She could use the cookie to change the email address to her account, as well as set up the two-step verification if it wasn't already. Even though Andrew Nacin, a contributor of WordPress, tweeted that this exploit could be used until the cookie expires, it will not allow the user of the intercepted file to change any passwords due to the absence of a separate cookie with the "wordpress_sec" tag, which causes it to be encrypted.

WordPress accounts that are self-hosted on a server with HTTPS support are not affected by this vulnerability. As long as every user has HTTPS enabled on their site and its cookies contain the "secure" flag, things should be fine. Users without a HTTPS enabled server should refrain from using any unsecured network when accessing their WordPress account.

Source: Ars Technica | Image via Morroni

Report a problem with article
Previous Story

Google blocking all Chrome Windows extensions not hosted by Chrome Web Store

Next Story

Microsoft to update Surface Pro 3 to fix battery charging issue before launch

20 Comments

Commenting is disabled on this article.

This isn't a Wordpress bug, it's a 'feature' of nearly all server-side software running on http (and not https).
Sniff someone's neowin cookies and you'd also have full access to their account.

n_K said,
This isn't a Wordpress bug, it's a 'feature' of nearly all server-side software running on http (and not https).
Sniff someone's neowin cookies and you'd also have full access to their account.

Exactly. It's just how cookies work, there's little that can be done about it that wouldn't be a major annoyance to users.

n_K said,
This isn't a Wordpress bug, it's a 'feature' of nearly all server-side software running on http (and not https).
Sniff someone's neowin cookies and you'd also have full access to their account.
Speaking of Neowin, if you can become a man in the middle, you could outright steal people's passwords with script-injection because the login form isn't protected with SSL. The submission is, but that's pretty much pointless since you can steal a user's password before it gets submitted.

Pluto is a Planet said,
Speaking of Neowin, if you can become a man in the middle, you could outright steal people's passwords with script-injection because the login form isn't protected with SSL. The submission is, but that's pretty much pointless since you can steal a user's password before it gets submitted.

For the past year or 2, neowin has made the login SSL.

n_K said,

For the past year or 2, neowin has made the login SSL.
Sending off your password is encrypted with SSL. But the login form itself is not encrypted, because the login form is included on every page of the website. So someone can add code to every Neowin page that is sent to your computer, and if you ever click the login button it would steal your password as you type it in. It doesn't matter that logging in is encrypted with SSL because the login page itself is not encrypted.

I can provide a proof of concept video if you still don't believe me.

Well obviously, people can do that with banks as well but you're required to MITM attack which is much more involved than this. All this does is read data passing through the network, if you want to MITM you'd need to setup a gateway, get a reply in before the normal host does, ensure the network equipment isn't setup to ignore certain packets or broadcasts due to security policies, etc. and is overall much harder to do.

n_K said,
Well obviously, people can do that with banks as well but you're required to MITM attack which is much more involved than this. All this does is read data passing through the network, if you want to MITM you'd need to setup a gateway, get a reply in before the normal host does, ensure the network equipment isn't setup to ignore certain packets or broadcasts due to security policies, etc. and is overall much harder to do.
You just need a regular computer with Ettercap... It's not that complicated.

Pluto is a Planet said,
You just need a regular computer with Ettercap... It's not that complicated.

Again no, it's down to security policies, depending on your network configuration and hardware you can stop people performing MITM attacks and arp poisoning by blocking network ports/nodes from broadcasts or certain packets and only allowing the proper gateway.
Most coffeeshop wireless points won't do that, but it doesn't mean they all have lax security like you're implying.

boo_star said,
Nothing worthwhile is posted on WordPress anyway.

I'd rather the scammers take control.

Really? How about CNN, New York Times, Forbes, Reuters...

WordPress is a very rare topic on Neowin. Considering I'm a WP Theme Dev, I'm highly surprised, but this is definitely news.

If it's over network, I wonder if JetPack is affected since it's practically a bridge between .com and .org

Mr.XXIV said,
WordPress is a very rare topic on Neowin. Considering I'm a WP Theme Dev, I'm highly surprised, but this is definitely news.

If it's over network, I wonder if JetPack is affected since it's practically a bridge between .com and .org

The majority of my clients (I'm a WP dev too) are running https because as far as i'm concerned any software sending any cookie over unencrypted networks is liable to this flaw, not just WordPress.

AFIK Jetpack is subject to an extra routine check before transmitting data so i think (but don't know) it'd be setting fresh cookies at that moment. I expect it to be patched in hours to be fair.