[wp-trac] [WordPress Trac] #44230: Export Personal Data Flaw

WordPress Trac noreply at wordpress.org
Thu Jun 21 13:23:55 UTC 2018 

#44230: Export Personal Data Flaw
--------------------------+------------------------------
 Reporter:  psycleuk      |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Privacy       |     Version:  4.9.6
 Severity:  major         |  Resolution:
 Keywords:  close         |     Focuses:
--------------------------+------------------------------
Changes (by xkon):

 * keywords:   => close


Comment:

 Replying to [comment:6 psycleuk]:
 > Following up on this again, as there has been no response to concerns
 about the data file being public and only obscured from general access.

 Let's say you know the user's email that you are after. You'd still have
 to find the time-window that the zip is available + the hash.

 The only way to have everything is to actually have access to the user's
 e-mail. And then there's seriously nothing 'we' can do about it.

 > After further review of the process, i believe there is another flaw. A
 user does not need to log into the site the confirm the request, all they
 need to do it click the link in the email. The process flow assumes that
 the person clicking the link in the email will always be the person who
 triggered the request, but if the users email account is compromised it
 may not be the case.
 >
 > The current process flow would allow as user to request data from a
 WordPress site without ever logging into the site to confirm who they are,
 all they would need access to is the email with the confirmation link.
 >
 > Given that the data being requested is about a user of the site and will
 therefore have an account on the site, surely the safest process to ensure
 data security is to have the user log into their account at each step to
 confirm they are the correct user.

 A user does not need to log in to a website because he might not have an
 account. For example comments don't require user registration, so there's
 no need for a login to retrieve that data, you just need the e-mail
 address that you made the comments with. There are plenty of use-cases
 that will never require actual 'registration' or even actual 'access' to
 an application/website that collects data.

 If a users e-mail is compromised as you say, then the attacker would
 probably have access on all of the subjects data already. The users e-mail
 security isn't our problem I believe nor we can do anything about it. On
 the other hand most companies that I know handling important data, do
 require extra validation measures i.e. by phone as well first before even
 they reach the point of e-mail validation (if they don't want to skip it)
 etc.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44230#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list