Security Reward for new Google Authenticator Plugin

I just released a new plugin into the WordPress.org repository, and am fairly confident that it’s secure, but since it modifies some of the default login behavior, I’d love to get some extra eyeballs on the code.

To that end, I’m offering a $150 Amazon.com gift certificate* to anyone who can find a significant vulnerability. By “significant”, I’m talking about bypassing username/password or 2FA token checks, privilege escalation, CSRF, etc; but of course I’d love to hear about anything else you can find too. You’ll just need to disclose it to me privately along with steps to reproduce it, then give me a chance to fix it before making it public.

* It doesn’t actually have to be Amazon; you can pick the store, or just request cash if you’d like.

 

Update 2013-12-11:

Cathy Fitzpatrick found a critical bug that leaked auth cookies, allowing an attacker to bypass the 2FA token prompt. It’s been fixed in r819086, and version 0.2 has been released. Please update to it immediately.

Basically what happened was the user would enter their username/password and they would be logged in, then the plugin would log them out and prompt them for a 2FA token. During the initial login, they were sent auth cookies, which WordPress uses to indicate whether or not a user is logged in. Those cookies were expired during the logout, but an attacker could pull the original ones out of the HTTP headers and manually create them, allowing them to login without the 2FA token prompt.

You can see the cookies by running:

curl -i --data "log=username&pwd=password&wp-submit=Log+In&testcookie=1" --cookie "wordpress_test_cookie=WP+Cookie+check" http://example.org/wp-login.php

This kind of esoteric vulnerability is exactly why I wanted to get other eyes on the code, and I’m very grateful to Cathy for finding it.

I sent Cathy the reward, but I’ll send another one to anyone else who finds a new vulnerability, so keep them coming :)

Leave a Reply

Your email address will not be published. Required fields are marked *