Bypassing WordPress Login Pages with WPBiff

Two-factor authentication protected WordPress login pages can be bypassed because of certain unsafe NTP practices.

The Internal clock of remote servers can be manipulated under the right conditions. Because certain WordPress Google Authenticator plugins also rely on the local timestamp, it opens up new ways to circumvent the user authentication process on the /wp-admin dashboard.

We demonstrate a practical attack against two-factor protected WordPress login pages. We are going to gain access to the dashboard without having access to the token generator app.

The post Bypassing WordPress Login Pages with WPBiff appeared first on Rainbow and Unicorn.

This is a Security Bloggers Network syndicated blog post authored by Gabor. Read the original post at: Rainbow and Unicorn