CloudFlare currently issues a single API for an account – which provides full access to manage the account – it’s the equivalent of having the account password.
Assuming this plugin was deployed and configured on 10 sites, it would only take one of them to be compromised for the CloudFlare account to also be compromised (which could contain 100’s of domains). Given the history of vulnerabilities in WP, themes and plugins – this is pretty much inevitable.
Following discovery of compromise in a single WP install utilising the v3 plugin, the CloudFlare master API key would need to be reset. Then all other WP sites that have the CloudFlare plugin configured would need updating with the new key.
A much better approach is deployed by Yoast and their OAuth 2.0 process which allocates to permission for a single domain.
This could be fixed by CloudFlare in several ways:
1. Having individual API keys per domain – these API keys can only modify the settings for a single domain
2. Creating a special process for authorizing the WP plugin to manage the domain for the account it is installed on. The API key (or login) could be used for initial setup, a secret key would be generated to make all further requests but only worked for that domain (scoped requests)
- The topic ‘v3 is inherently insecure’ is closed to new replies.