| Affected plugin | Two-Factor (Plugin contributors) |
| Active installs | 40.000+ |
| Vulnerable version | <= 0.7.2 |
| Audited version | 0.7.1 |
| Fully patched version | PENDING |
| Recommended remediation | PENDING |
Description
The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.
A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.
Proof of concept
foreach ( $ticks as $offset ) {
$log_time = $time + $offset;
if ( self::calc_totp( $key, $log_time ) === $authcode ) {
return true;
}
}
return false;Validation of 2FA codes sent over email:
// Bail if token is empty or it doesn't match.
if ( empty( $hashed_token ) || ( wp_hash( $token ) !== $hashed_token ) ) {
return false;
}if ( $nonce !== $login_nonce['key'] || time() > $login_nonce['expiration'] ) {
self::delete_login_nonce( $user_id );
return false;
}Timeline
| Vendor contacted | September 07, 2022 |
| First Response | September 07, 2022 |
| Fully patched at | – |
| Publicly disclosed | April 24, 2023 |
Leave a Reply