Nothing to stop a session hijacker from changing password
-
I went to my settings page on WordPress.com, and was about to change my password, had my current password all ready to enter it so I could change my password… but I wasn’t re-prompted. Why? Most sites ask you for your old password in the same form that you update your password to a new one, just to make sure that when “you” visit the password change page, it’s actually the real YOU. Example of when this may not be the case is if someone manages to steal your browser cookies and convince the site their computer is the one that set the “remember me” checkbox. Even more mundanely, pretty much anyone with access to your computer, perhaps a jealous or vengeful lover, might be able to change your password if you are logged in already (all the more reason that your computer unattended and avoid the “remember me” thing).
At least, that’s how it seems based on my experience changing the password through this form. I’m really hoping I’m wrong about this, and that WP developers are NOT living a considerable hole right in front of everyone’s faces… but considering I didn’t even get an email when I changed my password to let me know “hey, something has been changed” (I’ve waited at least 15 minutes, and shouldn’t have to wait longer for security alert that could indicate an active attack)… I am not going to hold my breath here. -
Hi there!
I’m not showing that you have any websites hosted here at WordPress.com. To avoid confusion there’s three different “WordPress” at play here:
1. The free, open-source WordPress software which powers your website.
2. WordPress.org which is the open-source project that works on the WordPress software and where you can get the software for free to use on your own hosting provider.
3. WordPress.com which is a managed hosting provider of the WordPress software and where you’re posting to the free support forums.If you’re changing your password here at WordPress.com, you’re correct that we don’t ask for that information or send a notice. However, for our purposes, we consider your email address to be the most important thing to prove access to your account – both from contacting support to requesting a password reset. Email changes require confirmation from a link sent to the original email address on file – if that link is not clicked, the change won’t occur.
If you’re changing it on a WordPress site not hosted here, you can see a similar behavior according to their documentation:
https://wordpress.org/support/article/resetting-your-password/
Hope that clarifies things!
-
To avoid confusion there’s three different “WordPress” at play here
to clarify: I mean WordPress.com. I’m concerned with the platform account account, not the FOSS project or any hosted instances of it.
However, for our purposes, we consider your email address to be the most important thing to prove access to your account
Fair enough, and I suppose if they are already in the account (session), they can already do a lot of damage (which is why one should always be careful with “remember me”, and why the same-origin policy exists)… I just want to make sure they can’t permanently steal accounts in this way. What if they change the password then start a session of their own? Can such sessions be revoked somehow, such as by changing the password again? And how certain are you that the current password change behavior (not re-authenticating, and not sending an email about the change) is not a problem?
I would seriously consider at least adding a notification when the password gets changed. In the event the attack described occurs, the user might assume that they forgot their own password, not that it was changed, and thus might not realize that it was a sign someone was in their account. -
We will pass your feedback onto the security team. Thanks for taking the time to share it.
- The topic ‘Nothing to stop a session hijacker from changing password’ is closed to new replies.
WordPress.com Forums 