| Affected plugin | Google Authenticator |
| Active installs | 30,000+ |
| Vulnerable version | <= 0.54 |
| Audited version | 0.54 |
| Fully patched version | – |
| Recommended remediation | Removal of the plugin |
Description
The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.
A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.
Proof of concept
if ( $value === $thistry ) {
// Check for replay (Man-in-the-middle) attack.
// Since this is not Star Trek, time can only move forward,
// meaning current login attempt has to be in the future compared to
// last successful login.
if ( $lasttimeslot >= ($tm+$i) ) {
error_log("Google Authenticator plugin: Man-in-the-middle attack detected (Could also be 2 legit login attempts within the same 30 second period)");
return false;
}
// Return timeslot in which login happened.
return $tm+$i;
}Timeline
| Vendor contacted | September 12, 2022 |
| First Response | September 12, 2022 |
| Fully patched at | – |
| Publicly disclosed | April 24, 2023 |
Miscellaneous
- The vendor did not consider this to be a security issue.
Leave a Reply