WordPress.org

Forums

yubikey-plugin
Yubikey API usage via HTTP (2 posts)

  1. Giac0m0
    Member
    Posted 1 year ago #

    Hi Henrik,

    Thank you for writing this great security plugin. Always nice when someone already wrote something I really need!

    There is one issue I noticed though. I noticed that you call the yubikey API via the HTTP protocol - I don't really understand why Yubikey is supporting this protocol.
    Since a OTP is going over this line I would really suggest to move this over to HTTPS to make sure that the OTP is not visible to anyone who is not supposed to see this information. When doing this please make sure you validate the SSL certificate provided by the Yubikey server. This can sometimes be rather tricky with the curl library.

    Thanks again for making this plugin. And if you have any questions or need some help please feel free to contact me.

    Ruben.

    http://wordpress.org/plugins/yubikey-plugin/

  2. Mike Doherty
    Member
    Posted 7 months ago #

    I came here to report the same security flaw. api.yubikey.com supports TLS, so you only need to change the protocol to https.

    From 51eaef22d0cfc6d300e96fd43a5ffce841bdaca5 Mon Sep 17 00:00:00 2001
    From: Mike Doherty <mike@mikedoherty.ca>
    Date: Sun, 7 Dec 2014 06:46:19 +0000
    Subject: [PATCH] Contact Yubico API server over HTTPS

    Seems like an obvious security flaw.
    https://wordpress.org/support/topic/yubikey-api-usage-via-http
    ---
    wp-content/plugins/yubikey-plugin/yubikey.php | 2 +-
    1 file changed, 1 insertion(+), 1 deletion(-)

    diff --git a/wp-content/plugins/yubikey-plugin/yubikey.php b/wp-content/plugins/yubikey-plugin/yubikey.php
    index 4eddc5a..ff25b87 100644
    --- a/wp-content/plugins/yubikey-plugin/yubikey.php
    +++ b/wp-content/plugins/yubikey-plugin/yubikey.php
    @@ -379,7 +379,7 @@ function yubikey_verify_hmac($response,$yubico_api_key) {
    * @return Boolean Is the password OK ?
    */
    function yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key){
    - $url="http://api.yubico.com/wsapi/verify?id=".$yubico_api_id."&otp=".$otp;
    + $url="https://api.yubico.com/wsapi/verify?id=".$yubico_api_id."&otp=".$otp;

    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_USERAGENT, "WordPress Yubikey OTP login plugin");
    --
    1.9.1

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • yubikey-plugin
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags