Yan Zhu, a researcher at the Electronic Frontier Foundation (EFF) noticed that the blogs hosted on WordPress are sending user authentication cookies in plain text, rather than encrypting it. So, it can be easily hijacked by even a Script-Kiddie looking to steal information.
When WordPress users log into their account, WordPress.com servers set a web cookie with name “wordpress_logged_in” into the users’ browser, Yan Zhu explained in a blog post. He noticed that this authentication cookie being sent over clear HTTP, in a very insecure manner.
One can grab HTTP cookies from the same Wi-Fi Network by using some specialized tools, such as Firesheep, a networking sniffing tool. The cookie can then be added to any other web browser to gain unauthorized access to the victim’s WordPress account and in this way a WordPress.com account could be easily compromised.
Using stolen cookies, an attacker can get access to the victim’s WordPress account automatically without entering any credentials and fortunately the vulnerability does not allow hijackers to change account passwords, but who cares? as the affected users would have no knowledge that their wordpress account has been hijacked.“Hijacking cookie on WP gives you login for 3 years. There’s no session expiration for the cookie, even when you log out.” Yan tweeted.
Using this technique, one can also see blog statistics, can post and edit articles on the hijacked WordPress blog and same account also allows the attacker to comment on other WordPress blogs from the victim’s profile. Sounds Horrible! Isn’t it?But, an attacker “couldn’t do some blog administrator tasks that required logging in again with the username/password, but still, not bad for a single cookie.” she explained.
She recommends that WordPress ‘should set the “secure” flag on sensitive cookies so that they’re never sent in plaintext.’
The Good news is that, if you own a self-hosted WordPress website with full HTTPS support, then your blog is not vulnerable to cookies reuse flaw.