-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability From Other Admin Accounts #208
Comments
Thanks for reporting the issue @richardkentgates! In #88 we're actually thinking of allowing admins to configuring 2FA for all users.
I haven't verified this but can't admins reset all user passwords in core WP? |
This is not necessarily a vulnerability but is usually the way access can be restored if an admin loses the means with which they provided a second step of authentication. Use AWS for example (they support app-based 2FA by way of tools like Google Authenticator). If you and I are both admins on an account, and you drop your phone in a mud puddle, you've lost access to your account entirely. The only way to restore access is to either call Amazon and work with a CSR to override your account and reset things, or ask me to disable 2FA for your account so you can log in and set up a new device. I'm explicitly using the phrase "mud puddle" because this is the classic mud puddle test when it comes to application security. It's a common discussion security engineers have when determining the trade-offs of any specific approach. In other words, this is somewhat by design and not a vulnerability of the system. Removing 2FA is an administrative-level operation open to anyone with administrative-level credentials. |
I can totally agree with this but there should be a selection to force users to setup Two-Step and by the hackish performance of doing this, it's obvious this is an oversight, not an intentional feature. However, I did use this to allow someone to regain access after they set it up with a faulty configuration which locked them out. So if it is something that is desirable, I think it should still be worked on to secure any real vulnerabilities that may have been overlooked. I may have some time to contribute in the next 30-90 day, bearing in mind that I'm new to WordPress development and I'm unsure of the direction of coding practices and standards for WordPress with the upcoming 5.0 release. At any rate, I think it's kick @ss that you guys are doing this work for the betterment of the platform. The world owes you much gratitude. |
Suggestion: when 2FA settings are changed, send the user an email to confirm (or at least notify). Perhaps only send the email if changed by someone other than the account holder. |
I agree that admins should be able to manage 2FA of other admins. Forcing all users (or specific roles) to enable 2FA is covered by #255 / #239. Notifying folks when settings change is covered by #476 / #484. So it seems safe to close this issue. Let me know if I missed a reason why it should stay open though. |
If you view a user with two-step setup, you can uncheck the boxes, which doesn't actually leave them unchecked after saving, but it does remove the Primary mode, leaving it wide open without requiring two-step. So if someone gets in through an Admin with weak security, they can disable two-step for other users.
The text was updated successfully, but these errors were encountered: