| Affected plugin | Two Factor Authentication |
| Active installs | 20.000+ |
| Vulnerable version | <= 1.14.5 |
| Audited version | 1.14.3 |
| Fully patched version | – |
| Recommended remediation | Removal of the plugin |
Description
The plugin uses string comparison operators that don’t mitigate time-based-side-channel-attacks, which could be abused to reverse engeneer information about a user’s emegerncy backup codes.
Proof of concept
The plugin uses simple string comparision “==” in at least two places where a skilled and determined attacker could exploit this to find out a user’s secrets using the methods explained here.
Both ocasions are located in the Simba_TFA_Provider_TOTP::check_code_for_user method.
Validating a provided six-digit one time password:
$match = false;
foreach ($codes as $index => $code) {
if (trim($code->toHotp(6)) == trim($user_code)) {
$match = true;
$found_index = $index;
break;
}
}Validating a user’s emergeny code:
$dec = [];
foreach ($emergency_codes as $emergency_code) {
$dec[] = trim($this->decryptString(trim($emergency_code),$user_id));
}
$in_array = array_search($user_code, $dec);
$match = $in_array !== false;Timeline
| Vendor contacted | May 30, 2022 (through WPScan) |
| First Response | June 28, 2022 (Vendor contacted by WPScan) |
| Fully patched at | – |
| Publicly disclosed | April 24, 2023 |
Leave a Reply