WordPress Security Bug: Don't Log In From Public Wi-Fi - Technologist
Technologist - The FindLaw Legal Technology Blog

WordPress Security Bug: Don't Log In From Public Wi-Fi

Free Wi-Fi is awesome, especially when you need to need to handle a last minute or emergency client matter and you don't have your own free hotspot available. But like most free things, there is a catch: you're sharing an Internet pipeline with strangers, some of whom may be eavesdropping on your communications.

There are general precautions you can take (which we'll save for a separate post), but suffice it to say: public Wi-Fi is risky, more so when websites haven't implemented best practices for security.

Today's case in point: WordPress.com, and to a lesser extent, self-hosted WordPress sites.

EFF Researcher Finds Unsecured Cookie

Late last week, on her blog, Electronic Frontier Foundation staff technologist Yan Zhu disclosed a bug in WordPress's log in security that leaves an authentication cookie unsecured. In simplest terms, when a user logs in, a "wordpress_logged_in" cookie is sent to that user, but the cookie itself is not sent via a secure pipeline. A fellow free Wi-Fi user, who has sniffing software installed, can intercept and copy that cookie, giving him access to your site -- no password needed. The cookie is valid for three years and doesn't expire, even if the person logs out.

And two-factor authentication won't help either -- the cookie bypasses this as well.

In geek-free-speak? This is like tossing the keys to your Bentley to a friend who is standing on the other side of a crowded dance floor.

How Bad Does It Get?

According to Zhu, a person with the cookie can create new blogs, add and delete posts, see private content, and worst of all, enable two-factor authentication to block the original user out of the account -- the second factor, a code, is sent to a phone number controlled by the unauthorized user. In short, it's a complete hijacking, minus the ability to change passwords, a minor inconvenience for the hacker if he is able to turn on two-factor authentication.

As for the reach of the bug, WordPress lead developer Andrew Nacin told Ars Technica that most of the issues were limited to WordPress.com hosted accounts ("yourname.wordpress.com"), and should be fixed soon. Self-hosted sites may also be affected, though additional security measures will be pushed in the next update, and at present, enabling HTTPS on one's site should secure the pipeline for those who want to log in using public Wi-Fi.

If you're using public Wi-Fi, we'd also recommend using the EFF's free HTTPS Everywhere extension for Firefox, Chrome, and Opera -- it forces secure connections whenever possible.

Ethics of Publicizing Bugs

In his note to Ars, Nacin noted that "it seems like this [bug] was publicly disclosed without much forewarning." Commenters on Zhu's blog have echoed those criticisms, arguing that she should have waited longer than 24 hours to publicize the security snafu.

Zhu noted that WordPress failed to practice the bare minimum best practice of transmitting authentication data over secure channels, and that prompt disclosure will warn users away from public Wi-Fi until the bug, which is extremely easy to exploit, is fixed. Plus, developers with self-hosted sites can configure their installations to fix the problem now, instead of waiting for a patch.

Worried about the exploit? Does this make you want to avoid public Wi-Fi hotspots, such as those at coffee shops? Join the discussion on Facebook at FindLaw for Legal Professionals.

Related Resources: