WordPress issue allows for compromised accounts; addressed, but not fixed

In the release of WordPress 4.0.1 on Nov. 20, 2014, eight security flaws were addressed. One of which is listed as:

An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.

While this is stated to be fixed, an in-depth description of the problem and solution reveal that it is still possible to compromise user accounts with this method.

Pre-2008, WordPress simply checked the password you used to log in against an unsalted md5 hash stored in the database. The lack of salt, of course, means that every distinct password will map to the same hash every time. In 2008, WordPress changed their hashing algorithm to not use md5, but still checked with the md5 algorithm in case the user had not yet logged in after the change was made (after the change, hashes stored in the database were changed over).

The way WordPress addressed the hash collision issue was very simple — rather than a direct check against the md5 hash, they changed over to a separate hash equivalence check algorithm that does not allow for collisions between the new hashes and the old. But despite this, WordPress did not actually do anything about the fact that pre-2008 accounts still used the old hashes and had them stored in the database. If you have not logged in since 2008, your password is still saved as an unsalted md5, which means it is extremely vulnerable to offline attacks on the database.

https://nakedsecurity.sophos.com/2014/11/24/wordpress-issues-critical-fixes-closing-remotable-bug-and-more/

https://wordpress.org/news/2014/11/wordpress-4-0-1/

Advertisements