Security Notice: WordPress Plugin Vulnerability Resolution
Last week we released a WordPress Plugin for Authy. A few hours after the launch we were informed by Jon Oberheide from Duo Security that our WordPress plugin contained a vulnerability. Within 10 minutes we were able to confirm the vulnerability and evaluated the security impact. Our determination was that the vulnerability was not critical and we decided not to pull off the plugin from WordPress.
We also immediately started working on fixing the issue. Four hours later after doing all quality checks, we released a new version which patched the vulnerability.
We are committed to being a very transparent company, so we want a detail here what the vulnerability was. We’re also working on creating a new webpage that will detail how we handle security vulnerabilities at Authy and how to contact us in case you find one. We’ll publish this on our website and our blog in the next few days.
The Authy WordPress Plugin uses 2 different web-pages to authenticate users that enable 2-factor authentication. On the first page user enters his username/password and on the second he enters his Authy Token.
Because of how WordPress Authentication works, we had to re-use the same end-point for both POST request (username/password and token). Jon found that it was possible to bypass the password check if you sent a valid Two-Factor token to the authentication endpoint manipulating the first request. This meant that the Two-Factor Authentication was reduced to one factor, in this case, a valid Authy Token.
Because the attacker still needs a valid Authy Token it means the impact was fairly low. Authy tokens are generated using RFC 6238 with a 256 Bit Key (HMAC-SHA256), can only be used once and are time sensitive. That makes generating a valid Token is virtually impossible without having access to the secret key. For instance, Authy.com has used single factor authentication using Authy Tokens for over a year now.
Essentially the Authy Token is a much more secure than a password and you are much more secure if you are using a Token instead of a password.
So if you installed the plugin you were still better protected than you were initially with just a password. That said, we’ve already released a new version to fix the issue and most people installed the new version, if you still have the old version consider updating now.
We looked at several alternatives, including checking the token and the password on the same screen. Ultimately, we decided it was best to keep separate web-pages for the token. In order to make this work securely, during the logon process when WordPress verifies your password, we generate a long random string that we return back to the browser if the password is correct. This random string is only valid once for the next 5 minutes. So when you enter your token, your browser transparently also sends back this random string. We then verify both the token and the random string are correct. Since only the person who knows the password will be able to get the the random string in the first place, we know by the time we verify your token that you know the password, without ever exposing your password back through the network.
We’ve also released the full source code of the plugin if you want to check it yourself: Source Code
We want to thank Jon Oberheide from Duo Security for informing us responsibly about the vulnerability and handling the whole issue very professionally.