Yan Zhu, a staff technologist at the Electronic Frontier Foundation, came to that determination after noticing that WordPress.com servers send a key browser cookie in plain text, rather than encrypting it, as long mandated by widely accepted security practices. The cookie, which carries the tag "wordpress_logged_in," is set once an end user has entered a valid WordPress.com user name and password. It's the website equivalent of a plastic bracelets used by nightclubs. Once a browser presents the cookie, WordPress.com servers will usher the user behind a velvet rope to highly privileged sections that reveal private messages, update some user settings, publish blog posts, and more. The move by WordPress engineers to allow the cookie to be transmitted unencrypted makes them susceptible to interception in many cases.

Monday, May 26, 2014
Ars Technica

Related Issues