Unencrypted cookies make WordPress accounts vulnerable over open networks

May 28, 2014 – 5:39 AM

People accessing the Internet over open WiFi networks are now vulnerable to having their WordPress webpage hijacked even with two-step authentication enabled. This new vulnerability was found by Yan Zhu, a staff technologist with the Electronic Frontier Foundation.

Zhu found that when accessing WordPress, the site sends a cookie in plain text rather than being encrypted. The cookie contains the tag “wordpress_logged_in,” which means that if a person has this cookie, WordPress will allow the user into sections of the site that will allow them to modify blogs, snoop through private messages, and more. Due to WordPress leaving this cookie unencrypted, it could be easily intercepted.

To test this, Zhu took the cookie from her own account and copied it the same way an attacker would. It logged her in without having to enter any information and it even bypassed her two-step verification. She could use the cookie to change the email address to her account, as well as set up the two-step verification if it wasn’t already. Even though Andrew Nacin, a contributor of WordPress, tweeted that this exploit could be used until the cookie expires, it will not allow the user of the intercepted file to change any passwords due to the absence of a separate cookie with the “wordpress_sec” tag, which causes it to be encrypted.

WordPress accounts that are self-hosted on a server with HTTPS support are not affected by this vulnerability. As long as every user has HTTPS enabled on their site and its cookies contain the “secure” flag, things should be fine. Users without a HTTPS enabled server should refrain from using any unsecured network when accessing their WordPress account.


You must be logged in to post a comment.