Session Hijacking via *.wordpress.com domain

  • Unknown's avatar
    matthewjcoley · Member ·

    Hello,
    I am new to WordPress and am confused about the session cookies WordPress uses. From my understanding, when a user logs into wordpress.com, wordpress sets authentication cookies on the wordpress.com domain. This means when accessing a wordpress subdomain site (i.e site1.wordpress.com), those sessions cookies are sent with the request. What is preventing an attacker from stealing those sessions cookies (thereby gaining access to a user’s account) when a user navigates to a malicious wordpress site?

  • kokkieh · Staff ·

    Hi there,

    If someone is able to access session cookies stored in your browser, it means they already have access to your computer itself, either physically or via malware that gives them that access, which would mean much more than just your WordPress.com account is compromised.

    So the way to prevent this is to keep your browser, operating system and security software up to date, practice safe browsing habits (i.e. don’t visit dodgy sites, click on strange links, or download/install media or software from untrusted sources), and if you use a shared computer, configure your browser to automatically delete session cookies every time you close the browser so someone else with access to the same computer aren’t automatically logged into your active sessions when they open the same browser.

    All sites on WordPress.com use https by default on all public and admin pages, so authentication requests for cookies are encrypted while they’re in transit between your computer and our servers, but you can also further protect yourself by making use of a VPN, especially if you use public wifi networks.

  • Unknown's avatar
    matthewjcoley · Member ·

    Hi,

    The session cookies (let’s take wordpress_logged_in as an example) are set on ‘.wordpress.com’ domains. This means that when a user visits a customer’s WordPress subdomain (take mine for example https://matthewjcoley.wordpress.com/), those sessions cookies are transmitted in the request to the server. What is preventing a malicious WordPress user from logging these headers (let’s say in PHP) server-side when other WordPress users visit their website?

    Even if these headers couldn’t be logged server-side (for example if WordPress strips the header values before server-side code is run), an attacker could still include JS on their page that makes malicious XHR requests to the WordPress API on behalf of the user visiting their site.

    These attacks seem too simple, hence why I am asking here where in my reasoning I am going wrong :)

    Thanks,
    Matt

  • staff-blorbo · Staff ·

    What is preventing a malicious WordPress user from logging these headers (let’s say in PHP) server-side when other WordPress users visit their website?

    WordPress.com users do not have that type of sever-level access.

    WordPress.com sites on the Business and eCommerce plans only have SFTP access for file management.

    WordPress.com sites on lower plans have absolutely no sever-level access.

  • The topic ‘Session Hijacking via *.wordpress.com domain’ is closed to new replies.