Tell HN : Wordpress.com exploit
There seems to be a very serious wordpress.com exploit which allows 3rd party sites/domains to gather a hash code which can be used to login to an user's account. Here is how to reproduce,
1. Login to wordpress.com
2. Take a look at this page : http://www.sandaru1.com/wordpress_test.html (This page is just showing the hashcode/url, I'm not saving any hashcodes)
3. Open another browser (in an attacker's case, his/her browser) and paste the URL shown in the page
4. Goto wordpress.com on the new browser and you are logged in
The exploit itself seems to be too simple. Am I missing something here or is this a serious bug?
P.S - I emailed both Automattic support and Matt Mullenweg. I didn't get any response back.
57 comments
[ 3.1 ms ] story [ 123 ms ] threadEDIT: is this tested on different IP addressess? I only have the one IP address in this office to try it on - I could see it being IP secured.
Edit:
Post this exploit here: http://en.forums.wordpress.com/forum/support
Of course, you'd have to be logged in first. =p
So this looks like it could be a local exploit only (doesn't make it any less exploitable)
security@wordpress.org
For WordPress.com specific issues, you can use the general support form:
http://en.support.wordpress.com/contact/
Word "security" appears nowhere on the front page? Check!
Word "security" appears nowhere on the support page? Check!
Guys. Please. Fix this! It's not like it's unlikely that someone is going to want to report things to you.
You need:
* A security page...
* ... with a PGP key ...
* ... and an email contact ...
* ... of someone who will write back immediately ...
* ... who knows what a security vulnerability is.
That's all you need to do. You haven't done that yet. You come close on Wordpress.org, but not close enough. You are asking people to wait only 2-3 days before writing scary-sounding blog posts. This is too easy not to fix.
While you're at it, earn some extra credit:
* Reply with special vulnerability IDs so that reporters think their report isn't waiting in line after bugs in your online help system. Whether it actually or isn't isn't even a problem you need to solve yet.
* Thank researchers privately instead of ignoring them.
* Give them a phone number to call back and get status on their report. You're a company. You can scale this.
* Be like Google, Apple, and Microsoft and keep a thank-you page for people who have disclosed problems "responsibly" to you.
security at wordpress.org Listed at http://core.trac.wordpress.org/
Members of WordPress.com are on that mailing list as well.
http://en.support.wordpress.com/contact/ if anything is definitely WordPress.com specific, but I suggest always including security at wordpress org, because there may be another permutation to the attack.
First I sent a email to matt(http://ma.tt/contact/). Then, I used the Automattic contact form(http://automattic.com/contact/)
FWIW, I tested this and it does seem to work.
First I loged in WP, got the URL from sandaru1s page. I logged out and tried the URL. And yes it worked. Then I deleted all wordpress cookies and tried again. Then I got the response as invalid key.
Again logged in and fetched new URL. This time I got a 502 with the URL. Refreshing took me 'invalid key' message (didn't touch cookies).
Update: Sandaru1s page doesn't provide a url anymore (for me). May be it's fixed?
Update2: Going to Sandaru1s page once logged in to WP now logs me out.
Too bad there is no way of verifying you are really lloyd.
Seems like we could come up with something - even if it only works for techies.
Not a general bug in WordPress or WordPress MU.
I remember few months ago, wordpress had a bug where an attacker could keep on resetting administrators account password. He might actually have a point
I've written off commenting on blogs... so while that was the reason why I made Angerwhale dynamic, I will never be tempted to make that mistake again. Blogs are static pages with an index, per-tag indexes, and a few XML feeds. No database queries should be made to show someone a blog post.
There is a discussion on Jekyll (and Disqus) here: http://news.ycombinator.com/item?id=998411
The odd thing about this is that I hadn't been given the admin password for the remote-live wordpress instance. I had manually modified the database to change the admin password in order to work on the local instance before firing it up.
I never did look into how wordpress created or verified session credentials, but it did seem like something odd was going on, there.