Eric Mann notes that “WordPress nonces…

Eric Mann notes that “WordPress nonces are, admittedly, not numbers and not used once.” Since they’re not “true nonces,” WordPress nonces “fall down horribly” and constitute a “fatal flaw” when developers use them to secure the admin. 🔓

Eric says we urgently need “true cryptographic operations,” and there’s a possible path to that destination, but it is “incredibly steep.” It will require “a major paradigm shift in WordPress development” — and developer education.

I want to also note some comments here from Andrew Nacin on Twitter: “…we shouldn’t have called them nonces. But, time-based, stateless HMAC tokens are just as valid (and commonly used) for CSRF protection. The primary point of these tokens isn’t to prevent a replay attack. Its only point is to guard against CSRF, and it does that well.”

Similar Posts