Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass

Found on Ars Technica on Monday, 26 May 2014

Memo to anyone who logs in to a WordPress-hosted blog from a public Wi-Fi connection or other unsecured network: It's trivial for the script kiddie a few tables down to hijack your site even if it's protected by two-factor authentication.

The cookie, which carries the tag "wordpress_logged_in," is set once an end user has entered a valid WordPress user name and password.

The move by WordPress engineers to allow the cookie to be transmitted unencrypted makes them susceptible to interception in many cases.

You shouldn't log into any service from a pulblic network without using at least HTTPS anyway.

Browse all articles« Previous « » Next »