Hosted two-factor authentication firm Duo Security acknowledged late last week that it discovered a vulnerability in its WordPress plugin (duo_wordpress plugin) that could allow a user to bypass two-factor authentication (2FA) on a multisite network.
Jon Oberheide, one of Duo’s founders, stressed last week that the problem only exists for users who have multisite WordPress setups with 2FA enabled on one of their sites. Users who deploy the plugin universally (and enable it universally) on their sites are not at risk.
If a user has 2FA set up on a site, they’ll be asked for primary credentials (a username and password) and the second factor information. But if there’s another site on the same multisite network, a user from the first site can go to the second site and only be asked for primary credentials. If they have those credentials, they’ll be authenticated, and then redirected back to their first site without being asked for 2FA. It’s bypassed entirely.
Oberheide described the vulnerability’s impact in bullet points in a blog entry last week in order to clarify some misinformation he said was being spread.
- Only WordPress “Multisite” deployments that have chosen to deploy the plugin on an individual site basis are affected.
- Normal WordPress deployments or Multisite deployments with the plugin enabled globally are NOT affected.
- The user must still present correct primary authentication (eg. username and password); only the second factor is bypassed.
Duo discovered the vulnerability and confirmed it internally earlier this month before issuing the advisory for it last week. At this time it affects version 1.8.1 and earlier of the product.
Oberheide writes that Duo is putting together a permanent fix and is working with WordPress but suggests a “core modification” may have to be made to the way the platform handles plugins to fix the issue.
The problem doesn’t solely exist on Duo’s plugins but is also present on those belonging to other two-factor vendors as well. Oberheide and company said they’ve informed vendors who are affected and several of them, like Duo, are working on fixes.
In the meantime Duo is encouraging users who have duo_wordpress deployed on multisite setups to enable the plugin globally, and then disable it for specific user roles until a fix is issued. Users who run a different WordPress two-factor authentication plugin may want to look into seeing if its vendor is planning a patch.