Breaking 2FA in WordPress: Account Takeover via CSRF in Google Authenticator
嗯,用户让我总结这篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我需要通读文章,抓住主要信息。 文章讲的是WordPress插件Google Authenticator的一个CSRF漏洞,影响版本<=0.55。这个漏洞允许攻击者在未经管理员同意的情况下重写他们的2FA密钥。技术细节包括函数save_submitted_setup_page缺少关键的安全控制,比如check_admin_referer和wp_verify_nonce。 攻击场景是攻击者准备一个钓鱼网站,通过社会工程学诱导管理员输入OTP代码,从而执行CSRF攻击。结果导致管理员被锁定,攻击者获得完全访问权限。 所以总结的时候,要涵盖漏洞名称、影响版本、攻击方式、结果和影响。确保在100字以内,并且直接描述内容。 可能的结构:Google Authenticator插件<=0.55的CSRF漏洞允许攻击者重写管理员的2FA密钥,导致账户接管。原因是没有关键的安全检查。 检查字数是否合适,确保信息完整且简洁。 </think> Google Authenticator WordPress插件(<=0.55)存在CSRF漏洞,允许攻击者在未授权情况下重写管理员的2FA密钥,导致账户接管。 2026-4-15 05:57:47 Author: infosecwriteups.com(查看原文) 阅读量:10 收藏

Miguel Angel Méndez Z.

Press enter or click to view image in full size

In the WordPress ecosystem, security plugins are the first line of defense. However, when they fail, the impact can be critical.

Get Miguel Angel Méndez Z.’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

In this article, we analyze a Cross-Site Request Forgery (CSRF) vulnerability in the Google Authenticator plugin (<= 0.55) that allows something extremely severe:

Overwrite an administrator’s 2FA secret without their consent.

Technical Summary

  • Affected Plugin: Google Authenticator (WordPress)
  • Version: <= 0.55
  • CWE: CWE-352 (CSRF)
  • Authentication Required: None (the victim must be logged in as an administrator)
function save_submitted_setup_page() { 
  $user = wp_get_current_user(); 
  $secret = empty($_POST['GA_secret']) ? '' : sanitize_text_field($_POST['GA_secret']); 
  $otp = empty($_POST['GA_otp_code']) ? '' : sanitize_text_field($_POST['GA_otp_code']); 
    if ($timeslot = $this->verify($secret, $otp, $relaxed_mode, '')) { 
    update_user_option($user->ID, 'googleauthenticator_secret', $secret, true); 
    update_user_option($user->ID, 'googleauthenticator_enabled', 'enabled', true); 
  } 
}

Root Cause

The developer completely omitted critical security controls:

  • check_admin_referer()
  • wp_verify_nonce()

This enables classic CSRF attacks against an extremely sensitive functionality: 2FA configuration.

Real-World Attack Scenario

The attack is not just theoretical — it is highly exploitable and, when combined with social engineering, results in full account takeover:

1. Attacker Preparation

  • Generates a valid secret (e.g., KRUGS4ZANFZSA43B)
  • Adds it to their own Google Authenticator app
  • Sets up a phishing site

2. Social Engineering

  • Sends an email such as: Critical 2FA security update required

3. Victim Interaction

  • Adds the attacker’s secret to their app
  • Generates a valid OTP
  • Enters it into the malicious website

4. CSRF Execution

  • The browser sends a legitimate POST request (without a nonce)
  • WordPress accepts it as valid

5. Result

  • The 2FA secret is replaced
  • The admin is locked out
  • The attacker gains full access

Attack Demonstration

Impact

  • Full account takeover
  • Persistence
  • Complete 2FA bypass
  • Loss of access for the legitimate administrator

文章来源: https://infosecwriteups.com/breaking-2fa-in-wordpress-account-takeover-via-csrf-in-google-authenticator-1b01d078b4a5?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh