Warn if recovery mode available #509
Comments
|
It's not that Core mitigates it. You shouldn't be able engage recovery mode without the user first taking action via an emailed link. If there is a way to bypass that we should fix it in Core. |
|
You're right, I didn't say that clearly. What I meant was that, in the context of this plugin, an attacker could bypass 2FA if they have access to a compromised email account. That's not necessarily a problem for a WAF plugin or something, but the whole point of this plugin is to protect against situations where the user's password and/or email account are compromised. |
|
Gotcha, understood. I think we need to be very careful about the wording. I think a lot of users would take it as a strong recommendation to turn off Recovery Mode, since it's effectively being communicated by Core. |
|
@iandunn @TimothyBJacobs do you have any input on how this should be phrased and presented within Site Health to make this a bit more actionable for a contributor to come through and help with a PR? |
It's a known issue that attackers can bypass security plugins by triggering recovery mode. Core mitigates that as best it can, but it's still a possibility. There isn't a way for plugins to opt-out (other than completely disabling the fatal error handler), but it may be reasonable to add a warning to Site Health. That could inform users of the risk of leaving it enabled, so they can judge for themselves, and disable it if they want.
The text was updated successfully, but these errors were encountered: