two-factor icon indicating copy to clipboard operation
two-factor copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Vulnerability From Other Admin Accounts

Open richardkentgates opened this issue 7 years ago • 4 comments

If you view a user with two-step setup, you can uncheck the boxes, which doesn't actually leave them unchecked after saving, but it does remove the Primary mode, leaving it wide open without requiring two-step. So if someone gets in through an Admin with weak security, they can disable two-step for other users.

richardkentgates avatar Dec 26 '17 20:12 richardkentgates

Thanks for reporting the issue @richardkentgates!

In #88 we're actually thinking of allowing admins to configuring 2FA for all users.

So if someone gets in through an Admin with weak security, they can disable two-step for other users.

I haven't verified this but can't admins reset all user passwords in core WP?

kasparsd avatar Jan 22 '18 21:01 kasparsd

This is not necessarily a vulnerability but is usually the way access can be restored if an admin loses the means with which they provided a second step of authentication.

Use AWS for example (they support app-based 2FA by way of tools like Google Authenticator). If you and I are both admins on an account, and you drop your phone in a mud puddle, you've lost access to your account entirely. The only way to restore access is to either call Amazon and work with a CSR to override your account and reset things, or ask me to disable 2FA for your account so you can log in and set up a new device.

I'm explicitly using the phrase "mud puddle" because this is the classic mud puddle test when it comes to application security. It's a common discussion security engineers have when determining the trade-offs of any specific approach.

In other words, this is somewhat by design and not a vulnerability of the system. Removing 2FA is an administrative-level operation open to anyone with administrative-level credentials.

ericmann avatar Jan 22 '18 21:01 ericmann

I can totally agree with this but there should be a selection to force users to setup Two-Step and by the hackish performance of doing this, it's obvious this is an oversight, not an intentional feature. However, I did use this to allow someone to regain access after they set it up with a faulty configuration which locked them out.

So if it is something that is desirable, I think it should still be worked on to secure any real vulnerabilities that may have been overlooked. I may have some time to contribute in the next 30-90 day, bearing in mind that I'm new to WordPress development and I'm unsure of the direction of coding practices and standards for WordPress with the upcoming 5.0 release.

At any rate, I think it's kick @ss that you guys are doing this work for the betterment of the platform. The world owes you much gratitude.

richardkentgates avatar Jan 23 '18 12:01 richardkentgates

Suggestion: when 2FA settings are changed, send the user an email to confirm (or at least notify). Perhaps only send the email if changed by someone other than the account holder.

crstauf avatar Dec 28 '18 15:12 crstauf

I agree that admins should be able to manage 2FA of other admins. Forcing all users (or specific roles) to enable 2FA is covered by #255 / #239. Notifying folks when settings change is covered by #476 / #484.

So it seems safe to close this issue. Let me know if I missed a reason why it should stay open though.

iandunn avatar Oct 19 '22 17:10 iandunn