Facepalm: A WordPress Security Plugin With 1M Installs Saved Passwords In Plaintext
The All-In-One Security (AIOS) plugin for WordPress includes login security features such as password strength meters and two-factor authentication, firewall and file protection, and content protection. While one might think this is a fairly robust plugin, just over three weeks ago, it was found to log passwords in plaintext. User c0ntr07 found that within the aiowps_audit_log, usernames and associated passwords were being saved.
This was described by support as a known issue in plugin version 5.19 and would be fixed by the next release. However, c0ntr07 called them out, asking why it wasn’t a critical vulnerability and being patched immediately. He had previously noted that this sort of issue would fail compliance for NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, and others. Following this call out, support worked to provide c0ntr07 a development copy of the update while working to push the full update.
Version 5.2.0, which was supposed to fix the issue, did not work for everyone, so the AIOS team had to skip over to 5.2.1 to fix the issue fully. At the end of the day, not only does this bring light to issues with putting blind trust in tools, but some security practices as well. The AIOS blog notes that if someone with access to the logs containing the passwords grabbed them, they could be used on the WordPress site or potentially anywhere else with a credential stuffing attack.
That, of course, is a subtle reminder not to reuse passwords, as it only takes one security breach to access all of your accounts, especially if some of them do not use two-factor authentication, which would make things a little more difficult otherwise. Therefore, we recommend using a password manager, so you only have to remember one complex password to enable you to have a different password for every website. Beyond that, if you are an AIOS user, it is time to update the plugin and purge your logs to stay secure.
