[wp-meta] [Making WordPress.org] #7010: Unauthorized Swag Ordering via Guest User Checkout
Making WordPress.org
noreply at wordpress.org
Thu Jun 8 19:48:47 UTC 2023
#7010: Unauthorized Swag Ordering via Guest User Checkout
---------------------------------------------------+-----------------------
Reporter: Ankit K Gupta | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: high | Milestone:
Component: Swag Store (mercantile.wordpress.org) | Resolution:
Keywords: dev-feedback |
---------------------------------------------------+-----------------------
Changes (by 5um17):
* keywords: 2nd-opinion => dev-feedback
* status: closed => reopened
* resolution: wontfix =>
Comment:
Hi @slash1andy
I hate to disagree with this is not social engineering but an
authentication flaw.
>The only way to pull this off is to know the coupon code (sent out via
private email)and then the email of a core contributor.
As far as I understand the coupon code is common for all and it just
`ThanksFor20` @ankit-k-gupta could you confirm what is your?
Now we know the coupon code we just need an email and email address
doesn't need social hacking, It is easily available in our address book
also on user's public profile.
IMHO, either coupon code should be unique for each user or there should be
email authentication when placing the order to prevent this.
I hope this makes sense and you will reconsider this ticket.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7010#comment:2>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list