Critical vulnerability in Multisite installations

  • The bug that was announced for Duo Security’s WP plugin mentioned that other 2FA plugins were affected as well. I tested Google Authenticator and it’s also vulnerable.

    My first thought for a fix would be to require network activation if the plugin is installed on a Multisite install. Since the ‘enabled’ usermeta is global across all sites, that would fix the problem. That may not be desirable for some users, though.

    An alternative approach would be to store a flag when the user logs in, noting which blog they logged in from. Then on each request, check if that flag exists and if the blog it points to has the plugin enabled. If it doesn’t exist or the plugin isn’t enabled, short-circuit the authentication request and force them to login from the blog they’re trying to access.

    There could be a better approach too, those were just the first ones I thought of.

    (I’m posting this in the public forums since the vulnerability is already public. Hackers already know it exists and you can assume they’re exploiting it, so users need to know about it too.)

    https://www.ads-software.com/plugins/google-authenticator/

Viewing 5 replies - 16 through 20 (of 20 total)
Viewing 5 replies - 16 through 20 (of 20 total)
  • The topic ‘Critical vulnerability in Multisite installations’ is closed to new replies.