just as newoabp stated

  • Can conflict with Lastpass according to the author. In the way that one can fill in a bogus password and still will be able to get to the text box to fill in the TFA code. In my case it still was possible to enter a random password tot get to the textbox of the TFA code AFTER inactivating Lastpass and without any other password manager.

    • This topic was modified 6 years, 10 months ago by gvmelle. Reason: On request of the author
    • This topic was modified 6 years, 10 months ago by gvmelle.
    • This topic was modified 6 years, 10 months ago by gvmelle. Reason: did another test after deactivating LastPass
Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Author David Anderson

    (@davidanderson)

    Hi @gvmelle,

    In his case, the problem is in another component on his site, but he hasn’t come back with the info to find out which.

    So, can I ask you the same question? Does it happen on your site if you de-activate all other plugins and switch to a default theme?

    By the way – are you a different person to newoabp? (I’m curious as to why your English contains precisely the same odd grammatical mistakes).

    David

    Plugin Author David Anderson

    (@davidanderson)

    And/or, if you can give a list of your installed plugins, we can spot which one(s) you have in common with him.

    Thread Starter gvmelle

    (@gvmelle)

    I tested it with a different password and came to the TFA textbox. I entered the code and could enter my weblog. Also with all my plugins deactivated. Only after deactivation the TFA code was not accepted. I thereafter deleted your plugin with Filezilla, because I could not enter my weblog.

    I use another TFA plugin now.

    Oh, and I copied and pasted the text from newoabp, sorry, just lazy.

    Ciao,

    Gideon

    ~~o
    <#\,
    ()/()

    Plugin Author David Anderson

    (@davidanderson)

    Hi,

    So, what other plugins do you have installed? I can already guess at the bug contained in the other plugin (which could potentially be exploited in other ways, BTW), but I would like to know which one it actually is, so that I can tell them.

    David

    Thread Starter gvmelle

    (@gvmelle)

    this is a list of my active plugins:
    1 Bit Audio Player
    Version 1.4 | By Mark Wheeler | Visit plugin site

    Advanced Automatic Updates
    Version 1.0.2 | By pento | View details

    Allow Categories
    Version 0.6.7 | By James Low, Pascaline Chotard ([email protected]) | View details

    Custom Query String
    Version 2.7 | By Matt Read | Visit plugin site

    Custom Quicktags
    Version 1.0 | By scribu

    Customizable Post Listings
    Version 1.5 | By Scott Reilly | View details

    deUncategorize
    Version 1.4 | By Daniel M. Gattermann | Visit plugin site

    Flickr Set Slideshows
    Version 0.9 | By Marie Manandise, MAJWeb | View details

    Force Login
    Version 5.1.1 | By Kevin Vess | View details

    Google Language Translator
    Version 5.0.33 | By Rob Myrick | View details

    Highslide Integration
    Version 2.3 | By Christoph Dietrich | Visit plugin site

    kPicasa Gallery
    Version 0.2.9 | By Guillaume Hébert | View details

    Mobile Smart
    Version v1.3.16 | By Dan Smart | View details

    My Admin Theme
    Version 1.0 | By G. van Melle | Visit plugin site

    PanoPress
    Version 1.3 | By Omer Calev & Sam Rohn | View details | PanoPress Instructions | PanoPress Forums | WordPress Plugin Page

    PJW Mime Config
    Version 1.00 | By Peter Westwood | View details

    Post Notification
    Version 1.2.40 | By Moritz Strübe | Visit plugin site

    SB Welcome Email Editor
    Version 4.8 | By Sean Barton | View details

    Search & Replace
    Version 3.1.2 | By Inpsyde GmbH | View details

    Slickr Flickr
    Version 2.5.4 | By Russell Jamieson | View details

    Smarter Archives
    Version 3.2.4 | By Robin Adrianse | View details

    Subscribe To Comments
    Version 2.3 | By Mark Jaquith | View details

    Subscribe2
    Version 100.0 | By Matthew Robinson | View details | Settings | Donate

    TBR Search Pages
    Version 1.0 | By Torben Brams | Visit plugin site

    User Switching
    Version 1.3.0 | By John Blackbourn | View details

    WordPress HTTPS
    Version 3.4.2 | By Mike Ems | View details | Settings | FAQ | Support | Donate

    WP Mail SMTP
    Version 1.2.2 | By WPForms | View details

    WP User Avatar
    Version 2.0.9 | By flippercode | View details | Support Forums

    WP-FLV
    Version 0.2 | By Roel Meurders | Visit plugin site

    WP-zoomify
    Version 1.0 | By G. van Melle

    Plugin Author David Anderson

    (@davidanderson)

    Thanks. I’ve installed and activated the two which seem most likely to modify the login process (User Switching, Force Login), but still cannot reproduce the problem (it always tells me that my password is wrong).

    All I can do at this point is either wait for the other guy to list his plugins (but he hasn’t communicated), or if you can de-activate all other plugins and see what the result is.

    You don’t have a password manager installed in your browser which is automatically inserting the right password?

    Thread Starter gvmelle

    (@gvmelle)

    I tested it with all my plugins deactivated. I was directed with a bogus password to the next screen (or window) with the textbox for the authy code to fill in. The code was rejected.

    And, yes, I use LastPass as a password manager, but overruled it.

    Anyway, I like the TFA plugin I use now (https://www.ads-software.com/plugins/two-factor/) and have uninstalled yours. So this is all I can do for you to help you to debug.

    regards,
    Gideon

    Plugin Author David Anderson

    (@davidanderson)

    Hi Gideon,

    The code was rejected.

    So, the cause is definitely one of the other plugins. If you have time to work out which (by de-activating half your plugins, until you find which one it is), I’d be grateful, or if you could change the stars on your review to indicate that the problem’s root cause is somewhere else.

    N.B. You’re always asked for the TFA code, after the password, as they are both checked together (the password by WP (not by my plugin), the TFA code by my plugin). That’s better security (for reasons I can explain if you wish) than checking them one-by-one.

    David

    Plugin Author David Anderson

    (@davidanderson)

    Hi @gvmelle,

    Thank you for all your help. We have managed to find out the problem.

    There is no problem. It’s LastPass.

    I asked a team of people to try to reproduce this problem on any websites they had. Finally, somebody did reproduce the problem. I then tried to log in on the same site… but the “bug” did not happen for me. We then cloned the site to a new URL… then the “bug” did not happen for either of us. Then we looked into LastPass. He has it; I don’t. He turned off LastPass and…. the problem no longer happens. We discovered that LastPass is actually automatically re-inserting the correct password. This was verified by using the web browser’s “Developer Tools” to inspect the data that the browser was sending, which, when LastPass is active, contains the correct password.

    Best wishes,
    David

    There is a problem. And it’s a security problem. You shouldn’t avoid it.

    Plugin Author David Anderson

    (@davidanderson)

    @newoabp You make no sense. It is not a security problem if you install LastPass and tell it to remember your password. That’s what LastPass does; that’s its intended purpose. It does not help any other visitor to log in, unless you hand them your computer and tell them they can use it!

    plese understand, I don’t have a lastpass

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘just as newoabp stated’ is closed to new replies.