Tuesday, January 27, 2009

ClearText Password & Wordpress

Few days back i had post about cleartext password on Jeevansathi.com now its Wordpress ! :)

You can test it, if you are having any blog on wordpress.com like www.raxitsheth.wordpress.com or you are having blog on your site which is powered by wordpress.

Create a post, password protect it. Take any cookie viewer/proxy/cookie-editor, and view your password in cleartext in your cookie !!! Can't believe.... check this snap ....









So What ???
1. storing password (in cleartext)(or any piece of info which someone can misuse) at client side is just dumb idea !

2. Even this cookie is only readable by your wordpress.com domain/subdomain/blog-address, if any bug in wordpress like XSS can exploit this.

3. Forgot the 2, if you are in cybercafe/office/behind proxy... you admin can read the password of password protected blog. !!!



Note 1 : wordpress.org is already knowing the issue [since 2 year ???] and ticket is re-opened here
http://trac.wordpress.org/ticket/3316


Note 2: If you are in/ around Mumbai, you can catch me during OWASP Meet, venue/date will be declared soon.



Interesting ???? Share your comment here....




-Raxit Sheth
www.Mykavita.com 1st birthday !

2 comments:

Anonymous said...

Dear Author raxitsheth.blogspot.com !
At all personal messages send today?

Anonymous said...

This is wonderful blog. I love it.