Vulnerability Management

WordPress cookie flaw could lead to near account takeover

Share

A recently discovered WordPress cookie flaw could lead to a near account takeover if leveraged, according to a blog penned by Yan Zhu, a staff technologist at EFF.

As Zhu was looking for privacy options in WordPress, she found that it didn't encrypt the browser cookie, but rather sent it over HTTP in plaintext. After logging out of her account, she pasted her “wordpress logged in” cookie into a new browser and eventually was able to log into WordPress without inputting her log-in information.

Once in, Zhu could view private posts, pose as the accountholder to comment on other posts and peruse blog statistics. In an update to her blog, Zhu wrote that the flaw could be leveraged to set up two-factor authentication and block users from their accounts.

WordPress has since taken steps to address the flaw.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.