[wp-hackers] Implications of failure to change 'unique' keys and salts
david at wordshell.net
Fri Oct 26 10:36:41 UTC 2012
I've been handed a hacked site to investigate. Unfortunately the client
deleted the hacked version and had no logs, so I'm just looking for
probable cause rather than doing forensics on the hacked site.
The client had not changed any of the 'Authentication Unique Keys and
Salts' in wp-config.php
and that seems to say that if the keys/salts are known, then you can
forge an authentication cookie at will - you don't need any
man-in-the-middle access to observe any existing session to do so. Can
anyone confirm if that is right?
If that is right, then it seems to me that WordPress should refuse to
run if the 'default' entry for any key is still "put your unique phrase
here". I did an audit of my web hosting customers, and found two others
who had this too. So across the Internet there must be tens of thousands
at least. But is it right?
WordShell - WordPress fast from the CLI - www.wordshell.net
More information about the wp-hackers