Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN : Wordpress.com exploit
110 points by sandaru1 on March 19, 2010 | hide | past | favorite | 57 comments
There seems to be a very serious wordpress.com exploit which allows 3rd party sites/domains to gather a hash code which can be used to login to an user's account. Here is how to reproduce,

1. Login to wordpress.com

2. Take a look at this page : http://www.sandaru1.com/wordpress_test.html (This page is just showing the hashcode/url, I'm not saving any hashcodes)

3. Open another browser (in an attacker's case, his/her browser) and paste the URL shown in the page

4. Goto wordpress.com on the new browser and you are logged in

The exploit itself seems to be too simple. Am I missing something here or is this a serious bug?

P.S - I emailed both Automattic support and Matt Mullenweg. I didn't get any response back.




WordPress.com team is investigating the issue. They have disabled the vector while they continue to investigate.


Do you work on the Wordpress.com team? No info in your profile.


Yes. Updated my profile, but don't believe what you read on the interwebs ;-)


Ha! Funny as always.

Too bad there is no way of verifying you are really lloyd.

Seems like we could come up with something - even if it only works for techies.


You mean like foaf+ssl?


Is it a general bug in WordPress MU or just an issue with wordpress.com?


Specific to WordPress.com.

Not a general bug in WordPress or WordPress MU.


How did you contact them by the way? I've been looking for ways to get in touch with them with a security related question but can't find anything, which doesn't look well on their part, especially with their security record.


Does seem a little tricky to find.

security at wordpress.org Listed at http://core.trac.wordpress.org/

Members of WordPress.com are on that mailing list as well.

http://en.support.wordpress.com/contact/ if anything is definitely WordPress.com specific, but I suggest always including security at wordpress org, because there may be another permutation to the attack.


Indeed, they don't have a method for reporting security exploits. Wordpress Blogging Platform has one, but this issue is only limited to wordpress.com. I believe it has something to do with intensedebate.com

First I sent a email to matt(http://ma.tt/contact/). Then, I used the Automattic contact form(http://automattic.com/contact/)


I experienced something similar a while back when I tarred up a live instance of a wordpress installation and fired it up on my local machine. To deal with redirects, I changed /etc/hosts to resolve the live domain to the local IP. While I was working on the local copy, I would from time to time need to refer to the live instance. To do this, I'd comment out the entry in /etc/hosts and browse to the live site. At some point, I noticed that the theme for the live site had been set back to the default. When I investigated, it turned out that my session credentials for the local instance were honored by the live (remote) site.

The odd thing about this is that I hadn't been given the admin password for the remote-live wordpress instance. I had manually modified the database to change the admin password in order to work on the local instance before firing it up.

I never did look into how wordpress created or verified session credentials, but it did seem like something odd was going on, there.


I haven't tested this, but if it truly works, one just needs to include <script src="http://wordpress.com/remote-login.php?action=jsonp&jsonp...; in a page and harvest hashes of its visitors?


Yes. Just a simple JSONP API call.


Is there wordpress JSONP API documentation anywhere? A couple of Google searches didn't turn anything up.


I checked out the Wordpress source just now and no mention of remote-login. I don't know if wordpress.com itself has any API documentation.


It looks like they have an xmlrpc.php file - so you could try using that.


Just curious, how long did you wait for a response before doing the whole full disclosure thing? :-\


About 2/3 days


like in 2 or 3 days, or like 0.666 days? :)


2 or 3 days


Couple of weeks ago I found a WP related hack on MT, had the same dilemma. I still wonder what the proper protocol is.


For core issues (WordPress.org), send an email with the details to:

security@wordpress.org

For WordPress.com specific issues, you can use the general support form:

http://en.support.wordpress.com/contact/


General support form for inbound security findings? Check!

Word "security" appears nowhere on the front page? Check!

Word "security" appears nowhere on the support page? Check!

Guys. Please. Fix this! It's not like it's unlikely that someone is going to want to report things to you.

You need:

* A security page...

* ... with a PGP key ...

* ... and an email contact ...

* ... of someone who will write back immediately ...

* ... who knows what a security vulnerability is.

That's all you need to do. You haven't done that yet. You come close on Wordpress.org, but not close enough. You are asking people to wait only 2-3 days before writing scary-sounding blog posts. This is too easy not to fix.

While you're at it, earn some extra credit:

* Reply with special vulnerability IDs so that reporters think their report isn't waiting in line after bugs in your online help system. Whether it actually or isn't isn't even a problem you need to solve yet.

* Thank researchers privately instead of ignoring them.

* Give them a phone number to call back and get status on their report. You're a company. You can scale this.

* Be like Google, Apple, and Microsoft and keep a thank-you page for people who have disclosed problems "responsibly" to you.


Some more useful advice for Open Source projects and security/release management can be found in "Producing Open Source Software" from http://producingoss.com/en/publicity.html


Awesome comments and advice. My co-workers are working on this.


Situations like this are why I've chosen to stay away from wordpress.


If this was your personal site or a custom CMS, odds are there wouldn't be enough community support to report bugs (or exploits) like this one. You'd simply go about your business thinking your site was secure.


Wordpress is many good things. Secure is not one of them. It has a genuinely weak design.


If it was my personal site, I would serve flat files. The fundamental problem with Wordpress is a design decision to have live code serving what could easily be static content. If there is no code, there's no exploit.


Personally, the reason is that there are often many security issues related with wordpress. I know that no software is perfect, but if I write the software I can be responsible for it, while if I rely on other people software I'm still responsible but for something I don't truly understand. I think wordpress is a fantastic blogging platform, but from a security perspective it's not.


I know he didn't state which direction he chose, but assuming that he's incompetent is pretty bad on your part.

I remember few months ago, wordpress had a bug where an attacker could keep on resetting administrators account password. He might actually have a point


Incompetence has nothing to do with it. It's just all too common that we overlook something in our code. All software inherently has bugs as no developer is perfect. There's alot to be said about having millions of prying eyes nitpicking your source code. I'd much assume millions of people critiqued my code as opposed to none at all.


Have you looked at the code? When I started using WordPress on my personal site, people warned me not to look behind the curtains. It seems pretty notorious for being a mess.


Some software needs more of this sort of assistance than others.


... So what do you use for blogging software, if you use anything?


You didn't ask me, but may I suggest git and a static site generator? That's what we're doing, and we're thrilled with it.


Definitely a good idea. Blogs are inherently non-dynamic, except for the once-in-a-while article posting, for which you can have a tiny piece of public-facing software dedicated to that one small task (if you even want that). Or your software can just rsync the new version of your blog to the live server.

I've written off commenting on blogs... so while that was the reason why I made Angerwhale dynamic, I will never be tempted to make that mistake again. Blogs are static pages with an index, per-tag indexes, and a few XML feeds. No database queries should be made to show someone a blog post.


I want to start blogging, and I'm considering Jekyll + Disqus. Many people seem to use this combo to add comments to a static website. You may get the "best of both worlds": static website + dynamic comments.

There is a discussion on Jekyll (and Disqus) here: http://news.ycombinator.com/item?id=998411


Which static site generators did you evaluate, and which did you end up choosing?


Jekyll and nanoc3. We went with nanoc3, which was the first one we were able to get working right. I have very few preferences other than "want Ruby" and "must actually work".


For one website I use rails. I made the platform in 2 days with full cache caching (http://www.freestylemind.com). For my technical blog (http://oscardelben.com) I now use nesta, but I was previously using jekyll. For my needs they works very well.


I sent this News.YC page over to Barry over at Wordpress who runs ops.

FWIW, I tested this and it does seem to work.


ok, I got a friend to copy/paste my url into their browser over IM (currently in the wrong office to access different IP's) and it didn't work (I am assuming they did it right, etc.).

So this looks like it could be a local exploit only (doesn't make it any less exploitable)


I get "Invalid key." locally.


I get that if you try the same hash twice. Go to wordpress.com and see if it logged you in.


Based on a comment below it seems this doesn't affect local installs of Wordpress since the source doesn't include remote-login.php.


OK Here's what I experienced.

First I loged in WP, got the URL from sandaru1s page. I logged out and tried the URL. And yes it worked. Then I deleted all wordpress cookies and tried again. Then I got the response as invalid key.

Again logged in and fetched new URL. This time I got a 502 with the URL. Refreshing took me 'invalid key' message (didn't touch cookies).

Update: Sandaru1s page doesn't provide a url anymore (for me). May be it's fixed?

Update2: Going to Sandaru1s page once logged in to WP now logs me out.


Works for me. :|


yep, me too. ouch.

EDIT: is this tested on different IP addressess? I only have the one IP address in this office to try it on - I could see it being IP secured.


I tested it using two different IP addresses about two days ago. Exploit is still there. Even if there are IP restrictions, it might be dangerous.


Shoot, works for me. WTF.

Edit:

Post this exploit here: http://en.forums.wordpress.com/forum/support

Of course, you'd have to be logged in first. =p


I wouldn't post it there. I would contact them privately. We don't want any random stroller of the wordpress forums to get a hold of this.


but you would let a random stroller of hn get hold of this??


That ship has already sailed. The more places it's posted, the worse it is.


Interesting that you consider HN a hangout for good guys only. A compliment!


I never said I consider HN a hangout for good guys only. "Bad guys" are constantly looking for exploits in wordpress though, considering it's horrible track record. Therefore it's much more likely that one of them would go to the wordpress forums as opposed to here. Plus, it's already posted here, my point was to not make it any more public than it already has become.


Is there any way, that it's fixed already? I've got the message "Invalid key." while I was trying to go to that URL in incognito/private mode OR in another browser




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: