[wp-trac] [WordPress Trac] #36648: Suppressed post-usernames are being published on Flipboard user-magazines
WordPress Trac
noreply at wordpress.org
Sat Apr 23 04:47:01 UTC 2016
#36648: Suppressed post-usernames are being published on Flipboard user-magazines
--------------------------+-----------------------------
Reporter: CDN WP GUY | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.4.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Hey there.
So, I assume like many, I changed my dashboard 'admin' default to a harder
to guess username and then suppressed having that name appear when I post
as that user on my wp site. Basically it acts like a second level of
password, you gotta guess the username 1st, then a password if you want to
try to hack into my site – Feeling all warm and secure.
Suddenly Flipboard!
Someone sends me a link to their personal Flipboard magazine (didn't know
that was possible) and they are pulling content from my wp site. Cool!
More networking. I check out the link to their Flipboard mag.
Lo & Behold! There is my suppressed username published on the Flipboard
mag for all to see – Feeling violated.
Contacted Flipboard – final summary from them:
"In this situation, that is expected behavior. Although it may be
suppressed in Wordpress, we are pulling an RSS feed that's in our
database, where "yourusername" is included in the markup, so that will
display."
("yourusername" the username for none to see).
So RSS feed, markup ... seems WP should be trapping usernames on posts if
they are suppressed ... and stripping them out of published RSS feeds or
'markup' – whatever the Flipboard guy is talking about.
Otherwise, there's not much point in offering the ability to suppress
usernames on WP posts being published elsewhere. And if we post under a
suppressed username that we like to log in with, assuming no one will see
it ... strikes me as a bit of an oops - security wise.
Thanks for reading!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36648>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list