Support » Plugin: Two-Factor » Not secure

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Kaspars

    (@kasparsd)

    @hongamtan Could you please elaborate on this? Did you enable one of the two factor methods in the user profile? What are the steps to reproduce the issue?

    hongamtan

    (@hongamtan)

    Hello, I’m using wordpress app on android, and after i enable plugin i still able use app to create post, note that if i’m admin so i can have unfiltered html, then here is flow for attacker.
    -> Login to android app -> create post with embed js code to turn off two factor -> then wait admin to visit the post -> then two factor can be turn off without enter code from step 2.

    tanckom

    (@tanckom)

    Has this been fixed if exists?

    I am keeping a close eye on this thread as I am also keen to a response from the author @kasparsd.

    Plugin Author Kaspars

    (@kasparsd)

    The official WordPress Android app uses the XML-RPC endpoint of your blog instead of the standard login flow.

    For protecting the XML-RPC endpoint you could install the Application Passwords plugin.

    We could also add a fix to this plugin which prevents users with the two-factor plugin configured from logging-in through the REST/XML-RPC endpoints. I’ve re-opened this issue on GitHub and we’ll use that to track the progress of this.

    Plugin Author Kaspars

    (@kasparsd)

    -> Login to android app -> create post with embed js code to turn off two factor -> then wait admin to visit the post -> then two factor can be turn off without enter code from step 2.

    @hongamtan The JS code couldn’t do that because there is a referrer and nonce check for all updates to use profile.

    Plugin Author Kaspars

    (@kasparsd)

    The latest version 0.4.0 has been release and it blocks all login requests via REST and XML-RPC API for users that have at least one two factor method enabled.

    Thanks for the follow up.

    Well, I would like to thank you for your time taken, you people are the ones who make the www great, thanks!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Not secure’ is closed to new replies.