Security Concern (ClickATell, ClickSend)
-
First, please create a GitHub repository so that people like me can create a pull request or maybe discuss these types of issues more privately. WordPress website is not exactly known for development tools.
And second, the code created for ClickATell and ClickSend providers is pretty much vulnerable to brute force attacks; not on the login process itself, but rather on the hash of the OTP code sent; which is worse since it is not possible to mitigate.
Both these plugins send the hash of the phone number and the generated OTP code to the client and since the phone number is known, the attacker only needs to crack the hash for the 9999 possible OTP codes. It takes less than a second for anyone sophisticated enough to crack the hash and to be honest you don’t need to be an expert to do so. So its a quite serious problem that might allow access to an administrator account to anyone with little knowledge.Following is a quick fix for this; just replace
$hash = md5( $str_mobile . $str_otp );
with
$hash = md5( md5( $str_mobile . $str_otp ) . wp_salt());
in “class-olws-clickatell-api.php” and “class-olws-clicksend-api.php” files.This simple change makes it a lot harder for anyone to crack the hash. A better solution would be to keep the hash in a table and not send it to the user. Or at least keep it in the PHP session.
https://www.php.net/manual/en/reserved.variables.session.php
-
DarkSoroush thank you for taking time and alerting us
any security issue worth reporting i don’t understand as to why moderator @darksoroush thinks security concert have special places to report!!This code is also vulnerable to reply attack. In other words, having a combination of [hash-pin] allows a malicious actor to log in multiple times indefinitely. A way to lessen the effect of this is to define a rolling window that passively expires the hash code. Check the following:
To generate hash:
private function olws_rolling_window($offset = 0) { $window_size = 60 * 5; return ((int) floor(time() / $window_size)) + $offset; } private function olws_generate_otp_hash( $country_code, $phone, $otp, $window = false) { if (!$window) { $window = $this->olws_rolling_window(); } $mobile_number = $country_code . $phone; $str_mobile = strval( trim( $mobile_number ) ); $str_otp = strval( trim( $otp ) ); $hash = md5(md5(md5($str_mobile . $str_otp) . $window) . wp_salt()); return $hash; }To verify hash:
if ($ref_id !== '') { for ($i = -1; $i <= 1; $i++) { $window = $this->olws_rolling_window($i); $new_hash = $this->olws_generate_otp_hash($country_code, $phone, $otp, $window); if ($new_hash === $ref_id) { $success = true; break; } } } $invalid_otp = !$success;This can and should be improved by at least keeping the last hash as a user meta information so that it can not be used more than once. But that required more changes to the main class and I was reluctant to do so. This plugin, however, must absolutely take care of this.
- The topic ‘Security Concern (ClickATell, ClickSend)’ is closed to new replies.
