There was a recent report on a vulnerability with cookies that should raise the alarm for WordPress users like me who compose blog posts and articles using this blogging platform.
The incident was first discovered by Yan Zhu, a staff technologist from the Electronic Frontier Foundation. The vulnerability comes into play when you use an open Internet connection on a public setting, say, a restaurant or coffee shop. A sniffing malware called Firesheep, among others, has been spotted to be responsible for sending cookies about your login data to your browser in an unencrypted form.
And if some malicious attacker happens to be using the same open connection that you are on, then you’re in a bad situation.
WordPress figures whether a user has been logged out of his or her account or remains logged in using the cookie in question. Cookies are also used for other Internet services such as email, social media accounts, online bank accounts and many more.
It is important for the reason that you are spared from the hassle of entering your username and password each time you return to a frequently visited website. In other words, it is a badge of your online identity and it will always give you a rubber stamp to log in to a website until the cookie expires at a certain point of time.
What happens when this kind of sensitive information becomes exposed to bad actors online? Well, if WordPress in particular transmits unencrypted cookies in plain text, it’s the same as saying that you are giving up your WordPress credentials to hackers.
That single piece of information alone can jeopardize your blog because once it falls into the hands of hackers, they are essentially in control of your WordPress account and may post blog entries using your hijacked identity. They may even display malicious links to your website to spread a phishing campaign. And you are helpless.
The cookie is also hard to wipe out immediately just by logging out of your WordPress account because it does not expire in just a matter of few days. The WordPress cookies expire after three years! In contrast, cookies from other websites expire in just two weeks.
The best thing to do to address this vulnerability is to enable the two-factor authentication on your WordPress account to avoid getting locked out of your blog site if your WordPress.com cookies fall in the wrong hands.