No CSPRNG Brings Risk to All WordPress Websites

No CSPRNG Brings Risk to All WordPress Websites

Thanks to the lack of CSPRNG (deciphered as cryptographically secure pseudorandom number generator), any WordPress website existing is now at risk from attackers. It should be said that there is a patch; however more work is needed so that it can be truly viable.

The generator CSPRNG is a mechanism which produces random numbers on the computer that could be used for cryptography, for example generating a key or salts. These numbers are in fact pseudorandom, as the truly random string can be produced only at a theoretical level

That bug was discovered by Scott Arciszewski, a web programmer from Orlando, Florida. Mr. Arciszewski informed the maintainers of WordPress that they need to create a CSPRNG mechanism into the platform so that to eliminate even the slightest chance of someone to predict the token that is applied for resetting the passwords. According to the web programmer everyone who is able to achieve that will be able to take over the vulnerable WordPress websites. Currently, there is no evidence for such a method to be available to accomplish that.

Scott Arciszewski has been trying to bring that issue to the maintainers of WordPress on several occasions, one being on the WordCamp Orlando conference focused on how WordPress can be used more effectively. The programmer is also offering a fix for the issue, created by him, which is to be integrated in WordPress.

Currently, WordPress is being used by more than 75 million websites but cybercriminals might not be enticed to look into the problem because of the complexity of creating an exploit.