Serious security issue

  • Resolved amityweb

    (@amityweb)


    8 years, 8 months ago

    There is a serious security issue with this plugin…

    Day before yesterday I was logged in as an Admin and switched to a user. I forgot I switched to a user and finished work for the day. I worked from home yesterday. I even remotely logged into my iMac and upgraded the operating system. So not only has the browser been closed, but between now and two days ago the computer has restarted several times.

    Today I come back to work and go to login and it asks me on the login screen if I want to switch back to the main admin. I click it, and it logs me in, no need need to enter my username and password.

    This is a serious security flaw. If anyone forgets to log out of the switched user, and someone else comes along and uses the computer, even after a computer restart which I find unbelievable, the other user can get full admin access.

    So please can you address this, I would expect at least to be logged out when the browser closes, or if it uses a cookie, then you need to set the cookie expire time to something reasonable (perhaps after a period of no activity).

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    8 years, 8 months ago

    Thanks for the concern.

    This is no different to the behaviour when you log in directly and forget to log out.

    The cookie that User Switching uses inherits the same expiry as the one you were logged in with as your original user in WordPress. If you check the “Remember me” checkbox when you log in, you’ll remain logged in for thirty days. If not, you’ll remain logged in for two days or until you close your browser.

    Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    8 years, 8 months ago

    Actually, I’m going to correct myself here and double check what you stated you were doing.

    * When you logged in, did you check the “Remember me” checkbox?
    * Did you switch to another user or did you use User Switching’s “Switch Off” functionality prior to the steps above?

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Serious security issue’ is closed to new replies.