Security Issue: CSRF Attack (no hidden nonce input field used on account modal)

@l3l3 Thanks a lot for your heads up — we’re gonna fix this right away and push an update to both Blocksy Companion (here on wp.org) and Blocksy Companion Pro.

Going forward, please use a different contact method for reporting security problems so that we can fix them efficiently. Please also be sure that we take those very seriously and act upon every bit of feedback that we receive, especially when it concerns the security of our users.

The update will be out today with the fix.

Best regards!

epic, thx!!

@l3l3 actually, after having a better look at the default WordPress login/lostpassword/register forms I can say that hidden input with a nonce is not needed here. Have you actually checked the built in forms and can confirm that those have a nonce for you?

In this actual case a nonce is not needed because the user is required to provide his credentials and these serve as the “nonce” into the system. And the absence of a hidden input with a literal nonce in it is totally fine.

But, again, if you really know of any exploits of our current account modal, please contact us not through an open forum (our support form is fine) so that we can act on it ASAP.

Waiting for your reply.

here is the login-form form the woocommerce-account page (without span, lable, p,…)

<form class="woocommerce-form woocommerce-form-login login" method="post">
  <input type="text" class="woocommerce-Input woocommerce-Input--text input-text" name="username" id="username" autocomplete="username" value="">
  <input class="woocommerce-Input woocommerce-Input--text input-text" type="password" name="password" id="password" autocomplete="current-password">
  <input class="woocommerce-form__input woocommerce-form__input-checkbox" name="rememberme" type="checkbox" id="rememberme" value="forever">
  <input type="hidden" id="woocommerce-login-nonce" name="woocommerce-login-nonce" value="b0918731ba">
  <input type="hidden" name="_wp_http_referer" value="/my-account/">
  <button type="submit" class="woocommerce-button button woocommerce-form-login__submit" name="login" value="Anmelden">Login</button>
</form>

• This reply was modified 3 years ago by l3l3.

@l3l3 Yes, I understand but Blocksy uses the endpoint from WordPress core for the login (wp-login.php) — you can check the endpoint of the AJAX call. And since the handler for this request is not under our control — we cannot add a nonce check inside it. Only adding a hidden input in the form is useless if there’s no actual check of it on the backend.

But, again, all the WP sites have this wp-login.php endpoint open by default without any nonce checks and there’s no real security threat with that. But, there are security tools out there using which you can strengthen the security of the default login form and as a result login form from our account modal will be secured too — we really follow WP’s conventions here.

—

On the other hand, we have two additional endpoints: one for the lostpassword and another for register action (if it’s enabled) that are completely under our control. For these two we’re gonna add a nonce check for the next deploy.

Hope this makes sense.