Plugin allows username enumeration

I don’t see how the thing which you want to do is achieved, or done any differently, by your suggested solution.

If someone enters a valid username, and a wrong password (whether without installing this TFA plugin, or after activating it and including a (right or wrong) TFA code), then WP sends back the message “The password you entered for the username (X) is incorrect.” Whether it says that *before* entering the TFA code, or *after* does not make any difference to the fact that WP’s “wrong password” response indicates that you guessed the existence of the username (X).

David

Hi David,

Thanks for the quick response.

I think you’re right yes, I’m getting in a muddle myself with other code we’ve added to prevent enumeration in that respect.

In any case, I don’t think this is actually a relevant issue as it’s specific to code that we’ve written to modify the login functionality.

Thanks for you help!

@sdundee

No problem!

Do feel free to send patches to add any hooks you want to the plugin… hooks are always harmless, and we’re happy if they help.

If you think that the plugin is worth 5 stars, then please do take a moment to give us a review – https://www.ads-software.com/support/plugin/two-factor-authentication/reviews/#new-post . (If not, please let us know why not… reviews less than 5 stars bring our average down!).

David

Hi David,

Actually, I’ve investigated this some more – I ended up setting up an WordPress install with only your plugin installed.

With the plugin disabled, WordPress indeed sets the message you describe, but if you enable the plugin for a specific user, then try logging in as that user with an incorrect password, you are still forwarded to the page asking for the two factor token. Only after entering this are you informed that your password is incorrect.

It looks like the plugin is executing this code before the password is checked, rather than after it’s checked.

So it looks like this is indeed a bug.

Kind Regards
Sean

Hi Sean,

Why is that a bug, according to you? At the most, it seems to be a personal preference. In the preference of other users, it’s undesirable if someone who doesn’t know the password gets informed of their mistake prior to being asked for the TFA code, on an account that has TFA activated.

But in fact, technically, it has to be the way it is. The transition to asking for the TFA code does not send off any secrets (only the username). The secrets (i.e. password) are only sent when the form is submitted, once. That means that the plugin can remain compatible with any other things that the user puts on their login form (e.g. adds a captcha, adds a requirement to scan a barcode, etc.). If we sent off the credentials one-by-one, instead of all-at-once, it could compromise other security schemes that the user might have added (e.g. if there’s a captcha, then you don’t want an API that allows someone to test a username/password via a back-door in the TFA plugin that verifies the username/password independently of other login steps). Remember that we’re trying to remain compatible with hundreds of other plugins that modify the login process in all sorts of ways.

David

Hi David,

From a security perspective I don’t think this is ideal, because it allows username enumeration. Which means that you can confirm whether or not a username exists in the database; if you proceed to the 2FA page then the username exists, if it doesn’t then you’re presented with an error message. (The OWASP description is much better and more detailed than mine: https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002))

Unfortunately WordPress already allows this sort of enumeration by default, although there are ways to fix this using a few of the security plugins available.

That said, I do understand why a solution to this problem is difficult, especially after looking at the code and reading your explanation. I can’t think of any easy or obvious way to fix this, that doesn’t necessarily mean that this isn’t a valid bug though (even if it might be categorised as low priority).

Thanks for your response.

Kind Regards
Sean

Hi Sean,

If it’s important to you, I think you could fairly easily modify the process so that the “does this username have TFA?” question that the front-end JavaScript asks is always answered by the WP back-end with “Yes”, regardless of the true answer. You could then either train users who don’t have TFA to just leave it blank, or adjust the informational text so that it tells them to do that.

To do that, you should just hook the events that the plugin hooks (the ones that go into tfaInitLogin()) with a higher priority, and echo your “fake” answer, and then die(). So, your code would get in there and answer “yes” before the plugin replies.

David