Skip to content

If your account here is gone, here’s why…

For the last few weeks, I've been getting hundreds of registrations here, and given (a) there's no reason to register except to post a comment, and (b) there aren't very many comments posted, I figured something was up. Until yesterday, though, I didn't know what was going on. Now, thanks to the WordPress 2.6.2 release, I do:

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.

In other words, by registering often enough with specially-crafted usernames, you may eventually be able to force the admin user's password to be reset to something random, and you may know that random password. Scary stuff. So today, I upgraded to 2.6.2, and cleaned out the vast majority of recently-created accounts.

If you'd signed up for a legit account and I zapped it, please just register again -- and sorry for the inconvenience.

2 thoughts on “If your account here is gone, here’s why…”

  1. Rob;
    My id no longer works. I tried to re-register, but it says I still exist. I tried to reset my passwor, but it won't accept the new password.

  2. Thanks for finding a problem with a new plug-in I added -- it deactivated all the accounts that existed prior to installation! That problem is fixed now.

    -rob.

Comments are closed.