The open-source WordPress blogging and content management system technology is potentially at risk from attackers that go after insecure cookies.
Yan Zhu, the staff technologist at the Electronic Frontier Foundation (EFF) who publicly exposed the risks, warned in a May 23 blog post of the risks from insecure cookies in WordPress.
“As mom always said, you should set the ‘secure’ flag on sensitive cookies so that they’re never sent in plain text,” Zhu wrote.
Cookies are widely used in WordPress and on Websites, in general, to store user preferences and credentials. Even if a Website has a log-in that is secured with Secure Sockets Layers (SSL) encryption, it is incumbent upon application developers to identify that cookies have the “secure flag” in place, which sends the cookie information over SSL, Zhu said.
Without having the secure flag in place for cookies, Zhu explained that she was able to log in to another user’s account. In Zhu’s research, she found that the cookie did not expire after each user session, meaning that it could be reused to log into to a WordPress user’s account repeatedly.
Zhu is no stranger to the world of online security and privacy. She is currently the maintainer of the HTTPS Everywhere browser extension, which directs users to the SSL versions of Websites in a bid to provide better security. Zhu is also a maintainer of the EFF’s Privacy Badger effort that aims to help users from being tracked online. The Privacy Badger effort is related to the Do Not Track Internet standards effort, which Yahoo recently dropped.
The research conducted by Zhu was against the WordPress.com hosted site, which is run by Automattic, the lead sponsor of the WordPress open-source project. WordPress sites can also be self-hosted by site owners using the open-source code. Zhu’s own blog, titled Discrete Blogarithm, on which she disclosed the cookie risk, is running on the open-source WordPress software.
From a WordPress perspective, a number of things can be done to improve security as it relates to cookies.
In an email to eWEEK, open-source WordPress developer Andrew Nacin explained that WordPress segregates its cookies for security.
“The front-end cookie is delivered over HTTP by default and is simply used to identify the user for the purposes of the logged-in toolbar, an edit post link in the theme, etc,” Nacin said. “The admin-only cookie is delivered with the secure flag if the user is forcing the dashboard to be used over SSL.”
The admin-only cookie is required to access the dashboard and change settings, manage posts or edit the user’s profile, Nacin said.
Nacin told Zhu that in the next WordPress release, SSL support would be improving and that the authorization cookies will be invalidated after a session ends to further protect users.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.