WordPress installations prone to hijacking over public Wi-Fi networks
Malicious persons can take over a WordPress installation over a public or unsecured Wi-Fi network, even if two-step verification is enabled. A lead developer of the open source CMS has confirmed this. He says a fix is coming.
An employee of Bits of Freedom’s US equivalent, Electronic Frontier Foundation, discovered that all WordPress installations are susceptible to hijacking, ArsTechnica reported Monday. This is due to a so-called key cookie, which sends the username and password unencrypted via the browser. It concerns the cookie with the tag ‘wordpress_logged_in’.
According to the employee, Yan Zhu, malicious parties can intercept the cookie if users log in via an unsecured connection. She was able to reproduce the procedure and found that she was logged in immediately, without giving her login details. In addition, it turned out that two-step verification by telephone could be passed in this way, she announced on Thursday.
The leak allowed Zhu to post, read private messages and view statistics under the blogger’s name. In addition, she could write comments on his behalf. Finally, she was able to change the email address associated with the account. As a result, the owner of the WordPress installation cannot change their password. Finally, Zhu was able to enable two-step verification if not already enabled, effectively banning the user from the site. Changing the password is not possible; this requires a separate cookie, which is encrypted.
WordPress lead developer Andrew Nacin confirmed The vulnerability was announced in a tweet on Thursday. He said a patch is planned for the next release, which has not yet been released. Until then, all WordPress installations are susceptible, provided the aforementioned conditions are met for the attack. Zhu therefore advises users not to log in via unreliable internet connections.
It is the second time in a short time that attackers have been able to log into WordPress systems via cookies. Last month, developers squashed another bug that allowed attackers to get into WordPress via fake authentication cookies. The early versions of 3.9, versions 3.8 and 3.7 were vulnerable.