[wp-hackers] Implications of failure to change 'unique' keys and salts
Abdussamad Abdurrazzaq
abdussamad at abdussamad.com
Fri Oct 26 15:30:33 UTC 2012
According to the site you linked to you can brute force login if you try
continuously for a week. So not exactly "at will".
On 10/26/2012 03:36 PM, David Anderson wrote:
> I've been handed a hacked site to investigate. Unfortunately the
> client deleted the hacked version and had no logs, so I'm just looking
> for probable cause rather than doing forensics on the hacked site.
>
> The client had not changed any of the 'Authentication Unique Keys and
> Salts' in wp-config.php
>
> I read
> http://codeseekah.com/2012/04/09/why-wordpress-authentication-unique-keys-and-salts-are-important/,
> and that seems to say that if the keys/salts are known, then you can
> forge an authentication cookie at will - you don't need any
> man-in-the-middle access to observe any existing session to do so. Can
> anyone confirm if that is right?
>
> If that is right, then it seems to me that WordPress should refuse to
> run if the 'default' entry for any key is still "put your unique
> phrase here". I did an audit of my web hosting customers, and found
> two others who had this too. So across the Internet there must be tens
> of thousands at least. But is it right?
>
> Thanks,
> David
>
More information about the wp-hackers
mailing list