WordPress accounts logged in on unsecured networks can be hacked even with two-factor authentication

Do you log into a WordPress hosted blog from some unsecured network or a public Wi-Fi connection? Well, you should be warned before it’s too late. Any script kiddie who’s seated a few tables away from you can easily hack your site. Yeah, even if it is secured with two factor authentication.

Unsafe cookies leave WordPress accounts open to hijacking

This was noticed by Electronic Frontier Foundation’s staff technologist, Yan Zhu. She came to this conclusion after observing that WordPress servers send a key browser cookie in plain text instead of encrypting it, as long authorized by widely accepted security practices. Once an end user has entered a valid username and password, the cookie carrying the tag “wordpress_logged_in” is set. This is the website which is kind of same as the plastic bracelets used by nightclubs. Once the cookie is presented by the browser, WordPress servers allow the user behind a velvet rope to view private messages, publish blog posts and also update some user settings.

Zhu ripped a cookie for her own account in the same way a malicious hacker might and later pasted it into a fresh browser profile. After this, she visited WordPress and was automatically logged in without having to enter her credentials. This happened even though she had enabled two-factor authentication. Then, she was able to publish blog posts and read private posts and blog stats. She was also allowed to post comments from her account. Like all this wasn’t enough, she could even change the e-mail address assigned to the account. Hacking an account like this, one can even set up the two factor authentication if it wasn’t there earlier. Like this, the hacker could lock the owner from his own account.

Remarkably, the pilfered cookie will remain valid for three years, even if the victim logs out of the account before then. Zhu blogged about the vulnerability late Thursday.

Andrew Nacin, WordPress lead developer tweeted recently that :

“Cookies can be replayed until expiration”.

Also, he said that a fix is scheduled for the next WordPress release. And, the exploit doesn’t allow the hackers to change passwords as that setting need a separate authentication cookie tagged “wordpress_sec”, including the “secure” flag that causes it to be sent encrypted.

The good news is that, WordPress sites that are self-hosted on a server with full HTTPS support are not vulnerable. So, until a fix is available, all WordPress users should make sure that the sit which they are logging into contains full HTTPS support. In case not, then users should not log on unsecured networks.