WordPress Cookie Flaw Lets Hackers Hijack Your Account

Posted on Posted in Hacker News
Do you own a blog on WordPress.com website? If Yes, then you should take some extra cautious while signing into your WordPress account from the next time when connected to public Wi-Fi, because it can be hacked without your knowledge, even if you have enabled two-factor authentication.
Yan Zhu, a researcher at the Electronic Frontier Foundation (EFF) noticed that the blogs hosted on WordPress are sending user authentication cookies in plain text, rather than encrypting it. So, it can be easily hijacked by even a Script-Kiddie looking to steal information.
HIJACKING AUTHENTICATION COOKIES
When WordPress users log into their account, WordPress.com servers set a web cookie with name “wordpress_logged_in” into the users’ browser, Yan Zhu explained in a blog post. He noticed that this authentication cookie being sent over clear HTTP, in a very insecure manner.
One can grab HTTP cookies from the same Wi-Fi Network by using some specialized tools, such as Firesheep, a networking sniffing tool. The cookie can then be added to any other web browser to gain unauthorized access to the victim’s WordPress account and in this way a WordPress.com account could be easily compromised.
Wordpress hacking cookies
Using stolen cookies, an attacker can get access to the victim’s WordPress account automatically without entering any credentials and fortunately the vulnerability does not allow hijackers to change accountpasswords, but who cares? as the affected users would have no knowledge that their wordpress account has been hijacked.

Hijacking cookie on WP gives you login for 3 years. There’s no session expiration for the cookie, even when you log out.” Yan tweeted.

Using this technique, one can also see blog statistics, can post and edit articles on the hijacked WordPress blog and same account also allows the attacker to comment on other WordPress blogs from the victim’s profile. Sounds Horrible! Isn’t it?

But, an attacker “couldn’t do some blog administrator tasks that required logging in again with the username/password, but still, not bad for a single cookie.” she explained.

She recommends that WordPress ‘should set the “secure” flag on sensitive cookies so that they’re never sent in plaintext.’

The Good news is that, if you own a self-hosted WordPress website with full HTTPS support, then your blog is not vulnerable to cookies reuse flaw.

Recently, similar Cookies reuse vulnerability was discovered by ‘The Hacker News‘ team on eBay website, that could allow an attacker to hijack eBay accounts without knowing the victims’ actual credentials.

Facebooktwittergoogle_plus

Leave a Reply