Jetpack SSO Security Risk using WordPress.com login

  • Resolved nilltech

    (@nilltech)


    3 years, 11 months ago

    During new install/set of Jetpack, it ask for a wordpress account to register. Jetpack auto-populated the username, I took a guess using an old password, and it successfully authenticated my account….using a 9 character, all lowercase, extremely weak password (keep reading, it gets better).

    Upon my next login to my domain.com/wp-admin, I see a new option to use WordPress account to login. Clever…or maybe not?

    Well, later I get an email notification from Wordfence that someone logged into my account, as me, from a different country!!!

    Immediately logged in and blocked their IP, killed the sessions, reset accounts/password, etc.

    How could someone from another country gain access as me to my website?

    Then it hit me, that awesome SSO Jetpack feature that comes enabled by default!

    Rewind for a moment, months back, Im logging into mydomain.com/wp-admin and I get a notification about my password being identified on a compromised password database, and I was forced to change it.

    Forward to today, it now appears they used the compromised wordpress.com account, identified as compromised by www.remarpro.com, to login to mywebsite.com/wp-admin.

    So wordpress identifies account is compromised and alerts you to take action, only to give backdoor access using the official WordPress Jetpack plugin?!?!?!

    Seems like wordpress.com should cross-reference the same compromised password database, as the one www.remarpro.com uses when logging into domain.com/wp-admin. And, not force SSO as an enabled default without ensuring some kind of password strength, as they do for any other account that gains access to the website/blog.

    Cannot make this stuff up.

    • This topic was modified 3 years, 11 months ago by nilltech.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor Jen H. (a11n)

    (@jenhooks)

    Hi @nilltech,

    Jetpack Secure Sign-On is deactivated by default; you have to intentionally opt-into enabling it.

    Jetpack would have auto-populated the username if you were logged into WordPress.com in the same browser. This is a run-of-the mill cookies thing, and not necessarily a security risk. Also, if I’m understanding correctly, this doesn’t sound like “backdoor access” as much as it is more of a weak password scenario, which you have complete control over. ??

    If you’re able to reproduce SSO being auto-enabled on a test site, please reach out to us at the form here, with steps to reproduce, and make sure to link this thread in your ticket. Also, write to us from the email address you use on your WordPress.com account, so we can verify your ownership of this site. We can take a closer look.

    Thanks!

    Thread Starter nilltech

    (@nilltech)

    I sense pushback instead of trying to see the big picture. Don’t just assume we are talking about a weak password, we are talking about how Jetpack gives full admin access to wp-admin, with known compromised accounts as a backdoor…intentional or not.

    And I really don’t believe SSO was enabled, as Jetpack was not configured, but somehow alerting us when the server went down. Honestly, it was that feature that had me give Jetpack a try…but it worked without being configured/clicking the setup button. (I have emails from Jetpack [90029146/intermittent] that you can see were clearly sent in December, before we clicked setup a couple days ago. Just compare my emails from Jetpack to your user registration log, and analyze the data for a clearer picture.)

    Weak password, I agree…it was an account from years ago that I didnt even realize I had. But you provided back door access, using that weak password.

    Security should be consistent. But the way it was implemented, using different password restrictions/complexity depending on how you login (site username/password vs WordPress username/password)….that is a security risk.

    Question – Months back, did WordPress ever check our account password against a compromised password list, and force us to change our password?

    Was this done across both platforms, www.remarpro.com and wordpress.com, or just www.remarpro.com?

    Why would you only do to one, and then give back door access to a websites wp-admin using compromised account password?

    That is what I am labeling a security risk.

    Great idea, just forgot match your password policies across platforms before creating the backdoor. Single Sign On should have a Single Password policy.

    Simple fix, check WordPress.com accounts against the compromised password database that you guys used on our wp-admin accounts, and require the password be reset following the security policy you have defined for self-hosted websites.

    • This reply was modified 3 years, 10 months ago by nilltech.
    • This reply was modified 3 years, 10 months ago by nilltech.
    • This reply was modified 3 years, 10 months ago by nilltech.
    Thread Starter nilltech

    (@nilltech)

    UPDATE:

    “Question – Months back, did WordPress ever check our account password against a compromised password list, and force us to change our password?

    Was this done across both platforms, www.remarpro.com and wordpress.com, or just www.remarpro.com?”

    Upon further research, I see it is Wordfence that offers the feature to identify leaked passwords, and will force a reset when logging into wp-admin.

    My apologies for laying that feature on WordPress core.

    But the issue still remains, Jetpack providing a 2nd security policy, allowing lower level access to gain full admin privileges via wp-admin, other than what has been defined in the Users>Administrators.

    My understanding of SSO, is to add convenience and increase security, not add convenience by lowering security.

    Plugin Contributor Dan (a11n)

    (@drawmyface)

    Hi @nilltech

    You’re right, that WordFence feature (emailing you when your email address is on a compromised list to remind you to check that you use a unique password for your WordPress account) is a nice one! We’ll certainly consider doing something like that for WordPress.com accounts as well, thanks for the suggestion.

    For now, and to avoid any weakened security provided by Jetpack’s SSO feature, you could go to https://wordpress.com/me/security and enable two factor authentication on your account, thus adding an extra level of security on top of your WordPress.com account, where you hopefully already use a strong password now.

    Go to Jetpack > Settings > Security in wp-admin, and check the box to require 2 factor authentication for all SSO logins from now on. That will mean that, if you have any other registered users on your site that also use Jetpack’s SSO to log in, they will need to be using two factor authentication to be able to log in.

    Hope that helps!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Jetpack SSO Security Risk using WordPress.com login’ is closed to new replies.