Potential vulnerability (they are working on it)

  • awfominaya

    (@awfominaya)


    2 months, 3 weeks ago

    I discussed with the team that there is a hack allowing tokens to be sent without going through the login screen. As long as the user does not accept the login tokens, the overall security has held, but this is a vulnerability. Today Vikas and I hopped on a call to review this activity and he agreed the attackers are bypassing the login process somehow. He confirmed that his team will begin working on this immediately.

    I feel their response was slower than necessary but am now convinced they are addressing the right concerns.

    • This topic was modified 2 months, 2 weeks ago by awfominaya. Reason: I'm updating my response to indicate a more accurate status
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author mowpmfa

    (@mowpmfa)

    2 months, 2 weeks ago

    Hello @awfominaya,

    Thank you for reaching out and sharing your concerns.

    After reviewing your description, we can confirm that there is no known breach or vulnerability in our 2FA plugin. The behavior you mentioned seems more consistent with a case where login credentials may have been compromised externally. In such cases, attackers often attempt brute-force or automated login attempts — however, thanks to our 2FA protection, they are unable to gain access to your site without completing the second authentication step.

    Regarding the obfuscation in the premium version of our plugin, please rest assured that this is an intentional and standard security measure. We obfuscate the premium code to prevent copyright infringement and protect our proprietary functionality. Many of our customers, including large enterprises, use the same version safely and without any security issues.

    As a precaution, we would recommend resetting your WordPress admin and hosting account passwords immediately, just to eliminate any chance of unauthorized access through compromised credentials.

    Also, we’d like to clarify that our team was available at the scheduled meeting time, but it appears that you were unable to join.

    Regards,
    miniOrange Team

    Thread Starter awfominaya

    (@awfominaya)

    2 months, 2 weeks ago

    I’ve edited my original post. There is a vulnerability. However, I now believe they are addressing it.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this review.

Tags