Unencrypted Cookie Creates Huge WordPress Vulnerability, Compromises 2-Step Authentication

WordPress.com is one of the most popular hosting platforms online. Electronic Frontier Foundation (EFF) has now identified a gaping vulnerability in WordPress.com which essentially allows anyone with basic hacking skills to access a WordPress account and hijack it for good.


The whole culprit is a cookie tagged ‘wordpress_logged_in’ and the problem with this cookie is that it isn’t encrypted. As the name suggests, the cookie contains login information and is generated only when the user provides valid username and password for his WordPress.com site.

The WordPress.com platform itself receives the cookie and only then lets the user login and access the behind-the-scenes features of the site or the blog. However, a hacker can easily intercept the cookie because it isn’t encrypted and then use it for malicious purposes. The hacker can, for instance, use the cookie to log in without providing any username or password. This can be done even if the original owner of the account has enabled two-step authentication.

Once a hacker has access to the account, he can read through the messages, publish new posts and perform a number of tasks which otherwise require administrative permissions. The worst part is that the hacker can then change the corresponding email address of the account, thus effectively locking out the original owner permanently.

Yan Zhu, who is a staff technologist at EFF, tested out the whole scenario by hacking her own WordPress.com account. According to her, the vulnerability can compromise a WordPress.com account almost instantly. Since WordPress.com is a service offered by Automattic, and is distinct from the open source WordPress project.

WordPress lead developer Andrew Nacin responded this to ArsTechnica

Most issues Yan identified apply specifically to WordPress.com. WordPress.com is a hosted service by Automattic, and is independent from the WordPress open source project they contribute to and use. These issues should able to be fixed and deployed fairly quickly by Automattic’s security team, though it seems like this was publicly disclosed without much forewarning.

Though the WordPress core software works fairly well over SSL now, there are a number of things we’ve already had slated for the next release to improve SSL support out of the box. I only wish having an SSL certificate were more commonplace.

Source: Yan Zhu

[ttjad keyword=”atnt-contract-phone”]


Salman Latif is a software engineer with a specific interest in social media, big data and real-world solutions using the two.Other than that, he is a bit of a gypsy. He also writes in his own blog. You can find him on Google+ and Twitter .

Leave a Reply