

Tell HN : Wordpress.com exploit - sandaru1

There seems to be a very serious wordpress.com exploit which allows 3rd party sites/domains to gather a hash code which can be used to login to an user's account. Here is how to reproduce,<p>1. Login to wordpress.com<p>2. Take a look at this page : http://www.sandaru1.com/wordpress_test.html (This page is just showing the hashcode/url, I'm not saving any hashcodes)<p>3. Open another browser (in an attacker's case, his/her browser) and paste the URL shown in the page<p>4. Goto wordpress.com on the new browser and you are logged in<p>The exploit itself seems to be too simple. Am I missing something here or is this a serious bug?<p>P.S - I emailed both Automattic support and Matt Mullenweg. I didn't get any response back.
======
lloydbudd
WordPress.com team is investigating the issue. They have disabled the vector
while they continue to investigate.

~~~
stanleydrew
Do you work on the Wordpress.com team? No info in your profile.

~~~
lloydbudd
Yes. Updated my profile, but don't believe what you read on the interwebs ;-)

~~~
anotherjesse
Ha! Funny as always.

Too bad there is no way of verifying you are really lloyd.

Seems like we could come up with something - even if it only works for
techies.

~~~
savant
You mean like foaf+ssl?

------
bittersweet
How did you contact them by the way? I've been looking for ways to get in
touch with them with a security related question but can't find anything,
which doesn't look well on their part, especially with their security record.

~~~
lloydbudd
Does seem a little tricky to find.

security at wordpress.org Listed at <http://core.trac.wordpress.org/>

Members of WordPress.com are on that mailing list as well.

<http://en.support.wordpress.com/contact/> if anything is definitely
WordPress.com specific, but I suggest always including security at wordpress
org, because there may be another permutation to the attack.

------
elptacek
I experienced something similar a while back when I tarred up a live instance
of a wordpress installation and fired it up on my local machine. To deal with
redirects, I changed /etc/hosts to resolve the live domain to the local IP.
While I was working on the local copy, I would from time to time need to refer
to the live instance. To do this, I'd comment out the entry in /etc/hosts and
browse to the live site. At some point, I noticed that the theme for the live
site had been set back to the default. When I investigated, it turned out that
my session credentials for the local instance were honored by the live
(remote) site.

The odd thing about this is that I hadn't been given the admin password for
the remote-live wordpress instance. I had manually modified the database to
change the admin password in order to work on the local instance before firing
it up.

I never did look into how wordpress created or verified session credentials,
but it did seem like something odd was going on, there.

------
ronnier
I haven't tested this, but if it truly works, one just needs to include
<script src="[http://wordpress.com/remote-
login.php?action=jsonp&jsonp...](http://wordpress.com/remote-
login.php?action=jsonp&jsonp=get_hash></script>); in a page and harvest hashes
of its visitors?

~~~
sandaru1
Yes. Just a simple JSONP API call.

~~~
stanleydrew
Is there wordpress JSONP API documentation anywhere? A couple of Google
searches didn't turn anything up.

~~~
bittersweet
I checked out the Wordpress source just now and no mention of remote-login. I
don't know if wordpress.com itself has any API documentation.

~~~
ErrantX
It looks like they have an xmlrpc.php file - so you could try using that.

------
jcsalterego
Just curious, how long did you wait for a response before doing the whole full
disclosure thing? :-\

~~~
sandaru1
About 2/3 days

~~~
growt
like in 2 or 3 days, or like 0.666 days? :)

~~~
sandaru1
2 or 3 days

~~~
vinhboy
Couple of weeks ago I found a WP related hack on MT, had the same dilemma. I
still wonder what the proper protocol is.

~~~
hew
For core issues (WordPress.org), send an email with the details to:

security@wordpress.org

For WordPress.com specific issues, you can use the general support form:

<http://en.support.wordpress.com/contact/>

~~~
tptacek
General support form for inbound security findings? Check!

Word "security" appears nowhere on the front page? Check!

Word "security" appears nowhere on the support page? Check!

Guys. Please. Fix this! It's not like it's unlikely that someone is going to
want to report things to you.

You need:

* A security page...

* ... with a PGP key ...

* ... and an email contact ...

* ... of someone who will write back immediately ...

* ... who knows what a security vulnerability is.

That's all you need to do. You haven't done that yet. You come close on
Wordpress.org, but not close enough. You are asking people to wait only 2-3
days before writing scary-sounding blog posts. This is too easy not to fix.

While you're at it, earn some extra credit:

* Reply with special vulnerability IDs so that reporters think their report isn't waiting in line after bugs in your online help system. Whether it actually or isn't isn't even a problem you need to solve yet.

* Thank researchers privately instead of ignoring them.

* Give them a phone number to call back and get status on their report. You're a company. You can scale this.

* Be like Google, Apple, and Microsoft and keep a thank-you page for people who have disclosed problems "responsibly" to you.

~~~
tshtf
Some more useful advice for Open Source projects and security/release
management can be found in "Producing Open Source Software" from
<http://producingoss.com/en/publicity.html>

------
oscardelben
Situations like this are why I've chosen to stay away from wordpress.

~~~
jqueryin
If this was your personal site or a custom CMS, odds are there wouldn't be
enough community support to report bugs (or exploits) like this one. You'd
simply go about your business thinking your site was secure.

~~~
wildmXranat
I know he didn't state which direction he chose, but assuming that he's
incompetent is pretty bad on your part.

I remember few months ago, wordpress had a bug where an attacker could keep on
resetting administrators account password. He might actually have a point

~~~
jqueryin
Incompetence has nothing to do with it. It's just all too common that we
overlook something in our code. All software inherently has bugs as no
developer is perfect. There's alot to be said about having millions of prying
eyes nitpicking your source code. I'd much assume millions of people critiqued
my code as opposed to none at all.

~~~
shrughes
Have you looked at the code? When I started using WordPress on my personal
site, people warned me not to look behind the curtains. It seems pretty
notorious for being a mess.

------
davidu
I sent this News.YC page over to Barry over at Wordpress who runs ops.

FWIW, I tested this and it does seem to work.

------
ErrantX
ok, I got a friend to copy/paste my url into their browser over IM (currently
in the wrong office to access different IP's) and it didn't work (I am
assuming they did it right, etc.).

So this looks like it could be a local exploit only (doesn't make it any less
exploitable)

~~~
teye
I get "Invalid key." locally.

~~~
ErrantX
I get that if you try the same hash twice. Go to wordpress.com and see if it
logged you in.

------
stanleydrew
Based on a comment below it seems this doesn't affect local installs of
Wordpress since the source doesn't include remote-login.php.

------
chanux
OK Here's what I experienced.

First I loged in WP, got the URL from sandaru1s page. I logged out and tried
the URL. And yes it worked. Then I deleted all wordpress cookies and tried
again. Then I got the response as invalid key.

Again logged in and fetched new URL. This time I got a 502 with the URL.
Refreshing took me 'invalid key' message (didn't touch cookies).

Update: Sandaru1s page doesn't provide a url anymore (for me). May be it's
fixed?

Update2: Going to Sandaru1s page once logged in to WP now logs me out.

------
phreanix
Shoot, works for me. WTF.

Edit:

Post this exploit here: <http://en.forums.wordpress.com/forum/support>

Of course, you'd have to be logged in first. =p

~~~
sev
I wouldn't post it there. I would contact them privately. We don't want any
random stroller of the wordpress forums to get a hold of this.

~~~
vijaydev
but you would let a random stroller of hn get hold of this??

~~~
sev
That ship has already sailed. The more places it's posted, the worse it is.

------
jfarmer
Works for me. :|

~~~
ErrantX
yep, me too. ouch.

EDIT: is this tested on different IP addressess? I only have the one IP
address in this office to try it on - I could see it being IP secured.

~~~
sandaru1
I tested it using two different IP addresses about two days ago. Exploit is
still there. Even if there are IP restrictions, it might be dangerous.

------
jorisvoorn
Is there any way, that it's fixed already? I've got the message "Invalid key."
while I was trying to go to that URL in incognito/private mode OR in another
browser

