WordPress Cookie Hijack Risk on Open Networks

wordpress

#1

Anyone else read this? What I am grokking from this is that if you are on an open network (like a coffee-shop or internet cafe) someone can intercept your login-cookie for WordPress and use that to gain access to your wp-admin section.

From there they can change the admin email, re-write posts, etc.

For this reason, and many others, it sounds like it would be a good idea to have a VPN you connect to when using public networks.

I have a browser-icon on my laptop when I click it opens an SSH tunnel connecting to a remote server and launches Firefox which then connects through that SSH port…

but not everyone has a remote server to connect to…VPNs are a nice cheap alternative.


#2

FWIW, WordPress core is working on this and it should be patched in the next security release (see? I told you upgrading was a good idea). However yes, this is a big deal :confused: Even using https/ssl for login won’t protect you.

Can you guess what we’re up to this week in WP land?


#3

I am glad to hear this is being resolved. I know enough to connect to a VPN while on open networks, but most (if not all) of my clients would get glassy-eyed if I tried to tell them to use a VPN.

fixing a bunch of hacked WordPress sites over the weekend would not fun. Luckily I run daily backups of all sites I manage…


#4

Honestly, I’m not as worried as I might be about this one. Yes, it’s really really bad, but it’s less bad than Heartbleed and can be fixed. Likely, we’ll backport the patch to 3.7 and 3.8 as well. Still, people should get on at LEAST 3.8.x as soon as they can so the update can be applied! (I don’t have an eta on it yet)

In the meantime, don’t use your laptops on unsecured wifi for important htings anyway! Also for WP look into using the phone/tablet apps. They’re going to be more secure due to how they communicate.
[hr]
Double posting because Nacin posted this: http://nacin.com/2014/05/30/security-is-nuanced/