WordPress plugin installed on 1 million+ sites logged plaintext passwords

By | July 13, 2023
WordPress plugin installed on 1 million+ sites logged plaintext passwords
Getty Images

All-In-One Security, a WordPress security plugin installed on more than 1 million websites, has issued a security update after being caught three weeks ago logging plaintext passwords and storing them in a database accessible to website admins.

The passwords were logged when users of a site using the plugin, typically abbreviated as AIOS, logged in, the developer of AIOS said Thursday. The developer said the logging was the result of a bug introduced in May in version 5.1.9. Version 5.2.0 released Thursday fixes the bug and also “deletes the problematic data from the database.” The database was available to people with administrative access to the website.

A major security transgression

A representative of AIOS wrote in an email that “gaining anything from this defect requires being logged in with the highest-level administrative privileges, or equivalent. i.e. It can be exploited by a rogue admin who can already do such things because he’s an admin.”

However, security practitioners have long admonished admins to never store passwords in plaintext, given the relative ease hackers have had for decades in breaching websites and making off with data stored on them. In that context, the writing of plaintext passwords to any sort of database—no matter who has access to it—represents a major security transgression.

The only acceptable way to store passwords for more than two decades is as a cryptographic hash that’s generated using what’s often characterized as a slow algorithm, meaning it requires time and above-average computing resources to be cracked. This precaution acts as an insurance policy of sorts. If a database is breached, threat actors will require time and computing resources to convert the hashes into their corresponding plaintext, giving users time to change them. When passwords are strong—meaning at least 12 characters, randomly generated, and unique to each site—it’s generally infeasible for most threat actors to crack them when hashed with a slow algorithm.

Login processes from some larger services often employ systems that attempt to shield the plaintext contents, even from the site itself. It still remains common, however, for many sites to briefly have access to the plaintext contents before passing them to the hashing algorithm.

The password logging bug surfaced at least three weeks ago in a WordPress forum when a user discovered the behavior and worried in a post it would result in the organization failing an upcoming security review by third-party compliance auditors. On the same day, an AIOS representative responded, “This is a known bug in the last release.” The representative provided a script that was supposed to clear the logged data. The user reported that the script didn’t work.

The user also asked why AIOS wasn’t making a fix generally available at that time, writing:

This is a HUGE issue. Anyone, like a contractor, has access to the username and passwords of all other site admins.

Furthermore, as our pentesting has documented, contractor and site designers have very poor password practices. Our contract’s credentials are the same ones they use on ALL OF THEIR OTHER CLIENT SITES (and their Gmail and Facebook).

AIOS offers mostly sound password guidance

Thursday’s advisory stated: “This issue was important to rectify and we apologise for the lapse,” It went on to reiterate standard advice, including:

  • Make sure that AIOS and any other plugins you use are up-to-date. This ensures that any vulnerabilities identified by developers or the community are patched, helping to keep your site secure. You can see which version of the plugin you’re using within your dashboard. You’ll be notified of any pending updates within the plugin screen on the WordPress dashboard. This information is also available within the WordPress dashboard updates section. A plugin like “Easy Updates Manager” can help you to automate this process
  • Change all passwords regularly, especially if you believe your password has been compromised. This will prevent anyone with your login information from causing damage to your site, or accessing your data.
  • Always enable two-factor authentication on your accounts (WordPress and otherwise.) This extra layer of protection works by verifying your login through a second device such as your mobile phone or tablet. It’s one of the simplest and most effective ways to keep your data out of hackers’ hands: with two-factor authentication, a stolen password still does not allow an attacker to login to an account. AIOS includes a two-factor authentication module to protect your WordPress sites.

While most of the advice is sound, the recommendation to regularly change passwords is outdated. In recent years, security practitioners have concluded that password changes can do more harm than good when there’s no reason to suspect an account compromise. The reasoning: regular password changes encourage users to choose weaker passwords. Microsoft has characterized the practice as “ancient and obsolete.”

Anyone using AIOS should install the update as soon as practicable and ensure the log deletion works as described. End users or admins who suspect their password was captured by a website using AIOS should change it on that site and, in the event they use the same password on other sites, those other sites as well.

Source