Vulnerability Found In WordPress Plugin Authentication
A vulnerability in two factor authentication using the duo_wordpress plugin has been identified and could potentially affect any users who have multisite WordPress setups using the plugin.
The potential problem of the two factor authentication process was identified by Jon Oberhide from Duo Security who outlined the risks that could face anyone using the plugin but stressed that this problem was limited to those who have both multisite WordPress setups and the two factor authentication plugin working together and that nobody else would be at risk.
Two factor authentication on a WordPress site is favoured by many who are looking to increase the security of their site by not only using the standard login in and password to enter the site but also employing a second security step.
Those using two factor authentication will be asked for second factor information to be given before access is granted to a site but the problem with the WordPress plugin from Duo Security means that a user working within the multisites can enter first with the two factor authentication process and then move to another site without having to complete this.
The impact of the vulnerability was outlined by Duo Security, however Jon Oberhide believed that the original message to users had been confused leading to many people thinking that they were at risk when they were not.
To make the risk clear Jon Oberhide reiterated on a blog post:
· Only WordPress “Multisite” deployments that have chosen to deploy the plugin on an individual site basis are affected.
· Normal WordPress deployments or Multisite deployments with the plugin enabled globally are NOT affected.
· The user must still present correct primary authentication (eg. username and password); only the second factor is bypassed.
Currently the problem only affects WordPress users operating with the 1.8.1 version or earlier versions and Duo Security are working to fix the problem regarding the security vulnerability.
While this problem only affects a limited number of people it has been stated by Duo Security that other plugins that use two factor authentication also have the same problem.
The advice being given to any users who may be concerned about their security is to contact the vendor of their WordPress plugin and ask if there is a patch available to secure the site.
WordPress users should always be aware of potential security threats, especially if you are using multisites which could see many sites becoming vulnerable at one time.
Duo Security have informed other vendors of similar plugins for WordPress about the potential problems and updates should be made available in the very near future.