Security Login Bypass Vulnerability

@davidanderson Okay, I understand. I am using the Super Socializer plugin, which supports social logins like Google and Meta. However, I noticed that when a user has two-factor authentication enabled, they can still log in directly after linking their account without being blocked. This essentially renders the plugin’s functionality ineffective, which could potentially lead to security issues.

@moderator I’m sorry to hear your response. Although it’s not a security issue in the code, it is a security concern related to user behavior. Most WordPress sites now use social login software, and I chose the Two Factor Authentication plugin. Intuitively, when I enable it, I expect that regardless of the login method, users will need to enter the second factor if it’s enabled. This is also the primary reason why the code needs to be updated and continually improved. We cannot wait until a bypass is discovered, causing significant problems, and then fix the judgment that was not made initially. If other software still requires users to manually add two-factor authentication, then what is the point of using this plugin? I will address this issue myself. Thank you for your guidance!

I only received prompts such as 『Your post is being held for moderation by our automated system and will be manually reviewed by a volunteer as soon as possible.』.I did not mention that it is a security issue in the code. The oversight in user operation judgment is also an area for future optimization by the plugin author, and it does not affect other plugin users.

• This reply was modified 1 year, 5 months ago by Leo.Lin.

@moderator It’s an honor to hear your insights. Although the download count for third-party social logins is still lower than the WP download count, I believe quick login is the trend of the future. Just now, I also completed the functionality I wanted on the test site by integrating it with a two-factor authentication plugin. Below are the results I have modified, and I’ll also share a screen recording of the third-party social login combined with two-factor authentication!

Standard version：https://imgur.com/a/RwvKMXO
Third-party login version：https://imgur.com/a/4znQB7C

Constructive discussion is also a form of growth. I do not have any ill intentions. Let’s consider this discussion concluded, and I will mark this issue as resolved.

Security note: As mentioned in the comment, instead of logging in with the user’s password, a one-time password is generated. Additionally, if two-factor authentication is enabled or the user logs in using third-party social media authentication, WordPress functions will be used to clear the cookies.

//Password encryption and decryption processing is required.
wp_clear_auth_cookie(); //Clear all login data for this user
$one_time_password = hash('sha256',wp_generate_password(16, true, true)); //Use a hash to transmit a one-time password; it becomes invalid after a single failed verification.
update_user_meta($user->ID, '2fa_otp', md5($one_time_password)); //md5 or other encryption methods

//and then 
$one_time_password = get_user_meta($user->ID, '2fa_otp', true); //get user_meta 2fa_otp
if(md5($password)==$one_time_password){
    delete_user_meta($user->ID, '2fa_otp');
    return $users;
}else{
   delete_user_meta($user->ID, '2fa_otp');
   return new WP_Error(
        'incorrect_password',
        ......
   );
}

All the added code must, of course, check if two-factor authentication is enabled and if third-party login is used before execution. This also includes using cryptography for encryption and decryption to implement the required functionality. The code I provided above is for your reference, and the main goal from the beginning is to address security issues. Naturally, I will consider the security of cookie transmission and password encryption!

@macmanx If I were trying to make this plugin something it’s not, I wouldn’t have reached out to the author in the first place.My intention is to help make this plugin better. I kindly ask you to read through all the replies before commenting! I’ve been a long-term user of this plugin, and only after discovering this issue did I start trying other similar plugins. I wanted to inform the author that another plugin called “Two-Factor” has already addressed this issue.

This Plugin Video
Standard version：https://imgur.com/a/5TP9fgH
Third-party login version(Skip verification)：https://imgur.com/a/M6TfTn3

Another Two-Factor Video
Standard version：https://imgur.com/a/RwvKMXO
Third-party login version(Verification required)：https://imgur.com/a/4znQB7C

Of course, I’ve also consulted third-party communities regarding the usage of their hooks. The modified version of this plugin that I worked on uses their hooks. I mentioned the wp_login hook to the author because, upon reviewing the code of “Two-Factor,” I noticed they start their verification process from there, avoiding concerns about other login methods. As you suggested, modifying third-party plugin code isn’t ideal. However, I’ve successfully integrated two plugins, and I truly appreciate your advice.

Contact link:https://ww.wp.xz.cn/support/topic/which-hook-should-be-used-before-adding-two-factor-authentication/#post-18217027
Final video:https://imgur.com/a/fE65Xob

Below is the core of the code I modified. I am also happy to share the logic behind the changes, so others who need it in the future can modify it in this direction. I still like the author’s plugin, which is why I made this constructive suggestion!

add_action('wp_login', 'handle_social_login_and_trigger_2fa', 10, 2); //wp_login
Change into
add_action('the_champ_login_user', 'handle_social_login_and_trigger_2fa', 10, 4);//Behavior of the super-socializer after logging in

function handle_social_login_and_trigger_2fa($var...){
=>get user_id
$tfa_enabled = get_user_meta($user_id, 'tfa_enable_tfa', true);
    if ($tfa_enabled === '1') {
        =>Clear all login data for this user //wp_clear_auth_cookie(); 
        =>get user_login...
        =>make one time password... //$one_time_password = hash('sha256',wp_generate_password(16, true, true));
        =>save one time password(md5) to user_meta //update_user_meta($user->ID, '2fa_otp', md5($one_time_password))
        =>wp_redirect login page // use username and one time password login
        =>call admin-ajax.php send { action: 'simbatfa-init-otp',user: user_login}
        =>start 2fa check
        =>remove one time password //delete_user_meta($user->ID, '2fa_otp');
        =>Skip...
    }
}

• This reply was modified 1 year, 5 months ago by Leo.Lin.
• This reply was modified 1 year, 5 months ago by Leo.Lin.
• This reply was modified 1 year, 5 months ago by Leo.Lin.
• This reply was modified 1 year, 5 months ago by Leo.Lin.

@davidanderson
Details： https://short.lugeshop.com/8TPJB
Case – Cloudflare：https://imgur.com/a/G0tqcqp
The final video：https://www.youtube.com/watch?v=NeQ9BtCApvw
I have successfully completed the integration and informed the users of my platform. Thank you very much for taking the time to understand my requirements. Currently, the main challenge I am facing is the data transmission after redirecting to the login page following third-party social login. Using the standard input.value to assign a value to the account field fails to successfully trigger the admin-ajax.php request for the simbatfa-init-otp action. As a result, using JavaScript to submit the form directly shows a validation error. To address this issue, I have switched to manually sending an AJAX request to resolve the problem with the verification box.

        <script>
        document.addEventListener("DOMContentLoaded", function() {
            var usernameField = document.getElementById('username');
            var passwordField = document.getElementById('password');
            if (usernameField && passwordField) {
                // set username and otp
                usernameField.value = '<?php echo $username; ?>';
                passwordField.value = '<?php echo $otp; ?>';
                jQuery.ajax({
                    url: '/wp-admin/admin-ajax.php',  // WordPress AJAX URL
                    type: 'POST',
                    data: {
                        action: 'simbatfa-init-otp', 
                        user: '<?php echo $username; ?>'
                    },
                    dataType: 'text',
                    success: function(response) {
                       console.log('AJAX request succeeded, response:', response);
                       var form = document.querySelector('form.woocommerce-form-login');
                       if (form) {
                           //form.submit();
                           const submitEvent = new Event('submit', { bubbles: true, cancelable: true });
                           form.dispatchEvent(submitEvent);
                           console.log('Login form submitted!');
                       }
                    }
                });
            }
        }, { once: true });
</script>

The reason I came up with this idea is that I recently used a login feature provided by Cloudflare, a domain service provider. They implemented this functionality, which gave me great peace of mind.

Our platform not only stores users’ virtual assets but also has a shopping cart for purchasing virtual goods, so we take login security very seriously. For members who have enabled 2FA, if their third-party accounts are unfortunately compromised, at least our website can provide an extra layer of protection. I fully agree that members should protect their third-party social accounts, but members who have enabled 2FA and encounter situations where they can log in without entering a verification code may suffer financial losses and blame us, the website administrators. This issue has been a long-standing struggle for us.

For example, a member once complained that despite enabling 2FA, someone was able to log into his account, place orders, or view their virtual assets without passing the 2FA process. We were quite surprised and later realized that his Meta account had been compromised, allowing access to our website. It was then that we started to recognize how important this issue is.

It has been an honor to exchange ideas with you, and I’ve learned a lot about important considerations when developing plugins. Wishing you a wonderful day!

• This reply was modified 1 year, 5 months ago by Leo.Lin.