Users of WordPress may want to watch out as an unaddressed, zero-day vulnerability still poses a threat to people’s passwords.
Password Reset Exploit a Danger to WordPress Users
Researcher David Golunski of Legal Hackers says that WordPress Core possesses an exploit that could allow hackers to reset users passwords. Golunski revealed the exploit on Wednesday through his new security hacking service, ExploitBox.
The vulnerability happens because WordPress uses what Golunski calls untrusted data by default when it creates a password reset email.
According to Golunski, this sets up a situation where a malicious agent could intercept a user’s email containing the password reset link.
This happens because WordPress uses a variable, SERVER_NAME, to get the hostname to create a From/Return-Path header for the password reset email. This variable is customizable and, because of this, an attacker could insert their own domain into it so that an outgoing email could be sent to a malicious address, according to Golunski.
The researcher explains the process further, saying:
“Depending on the configuration of the mail server, it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers. This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction.”
Furthermore, Golunski wrote that there were three distinct situations in which a user could be tricked. First, through a DDoS attack that would keep a user the password reset email from reaching the victim’s account. Second, auto-responders may attach a copy of the email sent in the body of the auto-replied message.
And finally, by sending multiple password reset emails, the attacker could trigger a victim to ask for an explanation which could contain the malicious password link.
Clef’s Shadow Looms Large
The news of this vulnerability comes at a time when users are moving on from one of WordPress’ primary identity authentication methods, Clef.
Clef was a login method that did not require the use of a password. It was popular with WordPress clients, with over 1 million active WordPress websites using it as an alternative to the traditional password.
The idea was to create a method that both bypassed the need for passwords as a means of confirming one’s identity online and in a way that was more secure than the password. Or, in other words, less vulnerable to problems that plague passwords such as the WordPress exploit.
Ultimately, Clef was unable to overcome people’s attachment to traditional login methods. In early March, CEO Brennan Bryne announced on Clef’s official blog that they would be discontinuing support for the plug-in.
Additionally, the plug-in would remain fully functional for another 3 months, giving users time to adjust and be ready for when operations completely shut down on June 6, 2017.
Now, with this new exploit disclosed to the public, WordPress will have to find different ways to combat the weaknesses of passwords as their strongest alternative goes offline for good.
What do you think of WordPress’ password exploit? Let’s hear your thoughts.
Images via Tripwire, Clef