Anyone who logs into their Wordpress account from public WiFi should take note that the user authentication cookies used for logging in are not encrypted and are easily hijacked by anyone looking to steal information. More importantly, this method of hijacking cookies manages to circumvent two-stage authentication.
A technologist at the Electronic Frontier Foundation, Yan Zhu, noticed the ‘wordpress_logged_in’ cookie being sent over regular HTTP while looking for a bug report. She then grabbed the cookie to examine it and discovered that Wordpress does not encrypt cookies as required for good security practices. The cookie can then be copied and pasted to any other browser to gain access to the victim’s Wordpress account.
Fortunately the security flaw does not allow hijackers to change passwords; as that information is stored within a different – and more secure – cookie. It, however, does allow others to read private messages, post new blog entries, view blog stats, and comment on other posts as the original user.
The Wordpress cookie does not even expire after the user logs out, instead lasting for what Zhu notes is three years. Although, she admits that she has no idea how long it takes for the cookie to expire on the server side.
Wordpress admits that it is aware of the issue, and will fix it with the next release. Until then, users should be extra careful to avoid logging in over public WiFi. Although, it has been pointed out that the issue does not affect Wordpress sites using HTTPS.
[Source: Discrete Blogarithm]
