There’s a report out of a new security vulnerability for both WordPress.com accounts (you know it if you have it) and self hosted wordpress accounts(you probably know it if you have this one too!)  If not just ask below and leave your link.

The problem is more serious on WordPress.com sites and there is no fix scheduled yet.

Self installed WordPress sites (like this one) should be secured again in a couple weeks when the next auto update rolls out.

In the meantime, to be safest you should avoid logging into WordPress on a public wifi until this is resolved.  Its unfortunate that this particular vulnerability exists, but one of the positives about the open source community is that they can be very flexible in responding with a solution!

See the original article by Ars Technica below and a follow up article by PC World for the details

Cookies open WordPress accounts to easy hijacking

If you’re a WordPress.com user you’ll want to be extra cautious the next time you’re tempted to whip up a blog post from your local coffee shop. If anyone on the same open connection is using a networking sniffing tool like Firesheep, your WordPress.com account could be easily hacked. Writing on her personal blog (and first reported by Ars Technica),  Zhu noticed that WordPress.com was sending a login confirmation cookie to the user’s browser unencrypted. Cookies open WordPress accounts to easy hijacking

Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass

Memo to anyone who logs in to a WordPress.com-hosted blog from a public Wi-Fi connection or other unsecured network: It’s trivial for the script kiddie a few tables down to hijack your site even if it’s protected by two-factor authentication. Yan Zhu, a staff technologist at the Electronic Frontier Foundation, came to that determination after noticing that WordPress.com servers send a key browser cookie in plain text, rather than encrypting it, as long mandated by widely accepted security practices. Once a browser presents the cookie, WordPress.com servers will usher the user behind a velvet rope to highly privileged sections that reveal private messages, update some user settings, publish blog posts, and more. Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass

Comments

Responses...