Bypass OTP
-
Hi Henrik,
I have been using your plugin on a few sites and have just noticed yesterday that I can put any code I want (or none at all) into the OTP box on the login form. Having read some forum threads it seems that other plugins which hook-in to “authenticate” may be the issue. I do use Ultimate Member and Wordfence on these sites. Doing some enabled/disabling seems to pin down the issue on my sites to Ultimate Member.
Having looked at the plugin code and done some research I have changed the code slightly in a couple of places so it hooks into “wp_authenticate_user” instead of “authenticate”. I’ve checked the code in WordPress core user.php and it seems that this is an OK place to be checking the OTP.
Have you any comments on this? Specifically, from a security perspective, is there any particular reason you picked “authenticate” and not “wp_authenticate_user” as the place to hook into?
I have seen quite a few people having issues like mine – I’ve no idea if my changes would have other issues elsewhere (possibly).
I know Ian Dunn has mentioned before that there should be a way to ensure that the plugin is “working” and advise the user if not. I have seen elsewhere that the plugin is listed as having a “Two Factor Authentication Bypass” vulnerability – presumably because of the issues mentioned. It would be nice to try and clear this up as it is a pretty nasty vulnerability if the user doesn’t know it isn’t working.
Let me know if you are you interested in seeing the code changes I made?
Happy to help in any way.
Ben
- The topic ‘Bypass OTP’ is closed to new replies.