Passwordless login has a security loophole

  • Resolved virtualabode

    (@virtualabode)


    5 years, 10 months ago

    Hi

    I’ve found an issue with the passwordless login that is a major security loophole.
    As things are right now, unapproved users can access the website by requesting a passwordless login; the website will generate the link and email it to them, once clicked the link will grant them access as if they were approved.

    The username/password login correctly denies unapproved users access to both the website and the API, but both the website and the API allow unapproved users access via the passwordless login feature.

    What is your usual timeline for applying patches to plugins please?

    Many thanks
    Luke

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hello,

    I was able to replicate this issue and have submitted a bug report. You can expect a fix for it in one of the next few versions of the plugin. Unfortunately, because of the low number of users that are affected by this bug we cannot give it a very high priority so there is no ETA on the fix.

    Thank you for bringing this to our attention!

    Regards,
    Paul

    Thread Starter virtualabode

    (@virtualabode)

    Thank you for letting us know Paul

    zoey

    (@zoeyisyoung)

    HI, may I ask if this loophole has been fixed yet? I would like to use your plugin as well but security is #1 priority! tx

    Paul

    (@paulplapsa)

    Hello,

    No, our development team has yet to fix this issue, but I just gave the bug report a bump up in priority. Hopefully you will see a bugfix in one of the next few versions.

    Best Regards,
    Paul

    Hi there,

    What is the current status with this issue?

    Has it been resolved yet?

    Thanks,

    Erik

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Passwordless login has a security loophole’ is closed to new replies.