Comments on: WordPress Security : User account details at risk

By: dmom

dmom — Mon, 09 Jun 2008 20:26:16 +0000

I never received a response from wordpress.
I have re-checked their landing page over the last few months, and indeed the login form is deferring to a secure location via a HTTP POST to a HTTPS URI.

By: Secure Wordpress.com login « RoundPicture

Secure Wordpress.com login « RoundPicture — Sat, 07 Jun 2008 20:47:22 +0000

[...] http://cuasan.wordpress.com/2007/10/05/insecurepresscom/ [...]

By: Secure Wordpress.com login « LifelongPassion

Secure Wordpress.com login « LifelongPassion — Mon, 05 May 2008 18:55:23 +0000

[...] http://cuasan.wordpress.com/2007/10/05/insecurepresscom/ [...]

By: dmom

dmom — Tue, 13 Nov 2007 13:33:44 +0000

omg, I see today, unfortunately, at http://wordpress.com/blog/2007/03/06/openid/ that people can use their wordpress blog as an openID.
Without a secure login capabiliity at wordpress.com, this is just nuts ! Now, in addition to an insecure blog, you have a bunch of insecure services online because your openID provider is insecure. Crazy crazy crazy.

WordPress.com, where are you ?
What say you about the insecure login ?

By: dmom

dmom — Wed, 31 Oct 2007 11:09:22 +0000

I have updated this post today with the ddetails of the login form link and the image snapshot of the warning firefox gives me when i go to login.

For some reason, I don’t see this pop-up consistently, which is further cause for worry.

So far I have no response from wordpress regarding this issue and slahsdot have rejected my posting of this issue.

By: dmom

dmom — Fri, 26 Oct 2007 10:29:29 +0000

I have reported this to wordpress, as I’ve just tried it again and it’s still unsecure.

I captured some data from the transfer from when I hit the ‘login’ button on the page.

log=my-fake-user-name&pwd=top+secret&testcookie=1&submit=LoginHTTP/1.1 200 OK
Vary: Cookie
X-hacker: If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.