Security vulnerability in the Duo WordPress two-factor authentication plugin
Posted on 14 February 2014.
Bookmark and Share
During an internal assessment, Duo Security found a vulnerability in their popular WordPress two-factor authentication plugin that completely bypasses the security measures provided by it.


Vulnerable versions include Duo WordPress plugin 1.8.1 and earlier, but the issue manifests only in multi­site deployments where the plugin is enabled on a site­ by­ site basis. By exploiting this vulnerability, a WordPress user with valid credentials for one site could easily bypass the two-factor authentication procedure on the second site.

Duo Security provided the following sample scenario:

A multi-site WordPress deployment has two sites, Site1 and Site2, with the Duo WordPress plugin enabled for Site1 but disabled for Site2. Under normal circumstances, users logging into Site1 will be prompted for primary credentials and second-­factor authentication; Site2 users will be prompted only for primary credentials.

A Site1 user may force b­rowse to the login URL of Site2, which will authenticate the user (as part of the same Wordpress multi-site network), and redirect them back to Site1, without prompting for second-factor authentication.

The developers are currently working on fixing this issue and will soon release a new version of the plugin. In the mean time, it is recommended that users should enable duo_wordpress globally in a multi-site configuration.

Update - Friday, 14 February, 8:40 AM PST Duo Security have released more information about this issue as well as a new version of the plugin.





Spotlight

OpenBSD team forks OpenSSL to create safer SSL/TLS library

Posted on 22 April 2014.  |  Members of the OpenBSD project have begun working on a free version of the SSL/TLS protocol. They are not starting from scratch, but have forked OpenSSL to create a new, more secure option which they have dubbed LibreSSL.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Apr 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //