WordPress Security : User account details at risk

The wordpress.com login mechanism is not secure!

[Update, it has been addressed, pity there was no announcement, and no warning with details of how to login securly]

Even when you go to it via secure-http, at https://www.wordpress.com, the login is done insecurely.

Why ? Because the login information is still posting to a non-secure http:// location !

What does this mean ? Consider :

  1. your login name and password are sent in plain text, not encrypted.
  2. there is the potential that anybody on your lan, at the internet-cafe, at school, work, in the airport etc can get your password. They don’t even need to be a technical genius.

Closer analysis of the website @ https://www.wordpress.com reveals the form is set as follows :

<form name="loginform" id="loginform" action="http://wordpress.com/wp-login.php” method=”post”>

Shouldn’t the action be to https://wordpress.com/wp-login.php ??

Thankfully, firefox alerts me to this with a message, so at least with that browser I may be aware something is not quite right.

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.” is the message, as per the image below.

unsecure press

Image Link

I find this very suprising, don’t you ?

For instance, here [http://wordpress.com/blog/2006/03/08/secure-blogging/] is a blog entry touting the security of WordPressfrom 2006, yet today the login is very far from secure.

This entry was posted on October 5, 2007 at 4:26 pm and is filed under Ramblings, TechIt. Tagged: , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “WordPress Security : User account details at risk”

  1. dmom Says:
    October 26, 2007 at 10:29 am

    I have reported this to wordpress, as I’ve just tried it again and it’s still unsecure.

    I captured some data from the transfer from when I hit the ‘login’ button on the page.

    log=my-fake-user-name&pwd=top+secret&testcookie=1&submit=LoginHTTP/1.1 200 OK
    Vary: Cookie
    X-hacker: If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

  2. dmom Says:
    October 31, 2007 at 11:09 am

    I have updated this post today with the ddetails of the login form link and the image snapshot of the warning firefox gives me when i go to login.

    For some reason, I don’t see this pop-up consistently, which is further cause for worry.

    So far I have no response from wordpress regarding this issue and slahsdot have rejected my posting of this issue.

  3. dmom Says:
    November 13, 2007 at 1:33 pm

    omg, I see today, unfortunately, at http://wordpress.com/blog/2007/03/06/openid/ that people can use their wordpress blog as an openID.
    Without a secure login capabiliity at wordpress.com, this is just nuts ! Now, in addition to an insecure blog, you have a bunch of insecure services online because your openID provider is insecure. Crazy crazy crazy.

    WordPress.com, where are you ?
    What say you about the insecure login ?

  4. Secure Wordpress.com login « LifelongPassion Says:
    May 5, 2008 at 6:55 pm

    [...] http://cuasan.wordpress.com/2007/10/05/insecurepresscom/ [...]

  5. Secure Wordpress.com login « RoundPicture Says:
    June 7, 2008 at 8:47 pm

    [...] http://cuasan.wordpress.com/2007/10/05/insecurepresscom/ [...]

  6. dmom Says:
    June 9, 2008 at 8:26 pm

    I never received a response from wordpress.
    I have re-checked their landing page over the last few months, and indeed the login form is deferring to a secure location via a HTTP POST to a HTTPS URI.

Leave a Reply