Bypass OTP

  • Resolved demotic

    (@demotic)


    6 years, 10 months ago

    Hi Henrik,

    I have been using your plugin on a few sites and have just noticed yesterday that I can put any code I want (or none at all) into the OTP box on the login form. Having read some forum threads it seems that other plugins which hook-in to “authenticate” may be the issue. I do use Ultimate Member and Wordfence on these sites. Doing some enabled/disabling seems to pin down the issue on my sites to Ultimate Member.

    Having looked at the plugin code and done some research I have changed the code slightly in a couple of places so it hooks into “wp_authenticate_user” instead of “authenticate”. I’ve checked the code in WordPress core user.php and it seems that this is an OK place to be checking the OTP.

    Have you any comments on this? Specifically, from a security perspective, is there any particular reason you picked “authenticate” and not “wp_authenticate_user” as the place to hook into?

    I have seen quite a few people having issues like mine – I’ve no idea if my changes would have other issues elsewhere (possibly).

    I know Ian Dunn has mentioned before that there should be a way to ensure that the plugin is “working” and advise the user if not. I have seen elsewhere that the plugin is listed as having a “Two Factor Authentication Bypass” vulnerability – presumably because of the issues mentioned. It would be nice to try and clear this up as it is a pretty nasty vulnerability if the user doesn’t know it isn’t working.

    Let me know if you are you interested in seeing the code changes I made?

    Happy to help in any way.

    Ben

Viewing 5 replies - 1 through 5 (of 5 total)
  • Ian Dunn

    (@iandunn)

    6 years, 10 months ago

    I have seen elsewhere that the plugin is listed as having a “Two Factor Authentication Bypass” vulnerability

    I would guess that’s referring to the issue where it’s activated on a single site in a multisite network. That’s the only actual bug that I’m aware of (as opposed to a plugin conflict).

    • This reply was modified 6 years, 10 months ago by Ian Dunn.
    Thread Starter demotic

    (@demotic)

    6 years, 10 months ago

    Thanks for you reply @iandunn. I have been reading the Ultimate Member source code and I believe the problem is with that plugin.

    This plugin also attempts to hook into ‘authenticate’ but what it does is it removes a standard WP filter:

    remove_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 );

    It then adds this filter in order to check the account approval status during authentication:

    add_filter('authenticate', 'um_wp_form_errors_hook_logincheck', 999, 3);

    I believe the problem lies in the fact that this new filter is run way after the Google Authenticator plugin has done its thing, and in fact, it then re-authenticates by virtue of it’s last line being:

    return wp_authenticate_username_password( $user, $username, $password );

    This means that even if $user contains a WP_Error object (as it may following any filters run before 999), the function will re-authenticate using $username and $password in order to get a valid $user object to pass back – regardless of what the outcome of Google Authenticator or any other authentication plugin.

    I am going to report this issue to the Ultimate Member plugin author.

    With regards to the filter ‘wp_authenticate_user’, there is a @todo in the source code which suggests that this filter may be deprecated in the future.

    zehawk

    (@zehawk)

    6 years, 10 months ago

    @demotic, thank you for the very detailed post. I had the same problem and found this. I am also using UM on 2 sites where I installed this plugin, and found that any OTP bypasses it.

    > regardless of what the outcome of Google Authenticator or any other authentication plugin.

    However, please note that this plugin https://wordpress.org/plugins/wp-google-authenticator/ is working fine for me on both these sites. Detailed review here: http://mag.mettaloop.com/tech/website-hosting/wordpress/2-factor-authentication-for-wordpress-sites/

    mbrsolution

    (@mbrsolution)

    6 years, 10 months ago

    Hi, I have been using this plugin for a few years in a few sites. I have never had any issue yet, so I can confirm that it is still working well for me in all the sites.

    Kind regards

    Thread Starter demotic

    (@demotic)

    6 years, 10 months ago

    @zehawk, @mbrsolution, thanks for your notes on this topic. I reported the issue on the Ultimate Member forum on wordpress.org as I do believe it is their issue, however I have as yet received no response.

    To be clear, there is no issue with the Google Authenticator plugin, but anyone who uses Ultimate Member and Google Authenticator together (or other “authenticate” hooked plugins) should be aware that unmodified, Ultimate Member creates a security hole.

    I will mark this topic as resolved, thanks everyone.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Bypass OTP’ is closed to new replies.