[wp-trac] [WordPress Trac] #44197: ZIP file containing a user’s personal data has user’s personal data in filename

WordPress Trac noreply at wordpress.org
Tue May 22 19:16:42 UTC 2018 

#44197: ZIP file containing a user’s personal data has user’s personal data in
filename
--------------------------+-----------------------------
 Reporter:  Ov3rfly       |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Privacy       |    Version:  4.9.6
 Severity:  normal        |   Keywords:  gdpr
  Focuses:                |
--------------------------+-----------------------------
 Example from wp-content/uploads/wp-personal-data-exports/
 * wp-personal-data-file-info-at-example-com-1RwxnSYi7z...SZGjD6shoOc.zip
 The email `info at example.com` can be clearly identified within the
 filename.

 Hosting providers worldwide: Work literally day & night to provide
 anonymization of personal user data like IP address in access logs etc.
 for gdpr-compliance.

 WordPress in a core privacy feature: HMB, let's put personal user data in
 a filename for personal user data.

 Why this isn't a good idea in terms of gdpr and otherwise, incomplete
 list:

 * While user email usually can be seen only in server database, now it can
 be seen in server filesystem
 * During download the filename is stored in access logs of the server and
 ..
 * .. in load balancer and firewall logs
 * .. in proxy server logs
 * .. in automated virus checking logs on proxy servers
 * .. in automated virus checking logs on client
 * .. in client browser history
 * .. in client filesystem
 * .. in client cloud backups
 * ..
 * After download has expired and user tries to re-download using the
 expired link ..
 * .. the normal WordPress 404 page is triggered and the filename ends up
 ..
 * .. in logs and/or storage of [https://wordpress.org/plugins/search/404/
 404 handling] plugins
 * .. in trackers like Google Analytics or similar
 * .. in referer logs of any third party content on 404 page
 * .. in page url accessable to third party content on 404 page
 * ..

 Current Behaviour:

 * wp-personal-data-file-[email]-[random].zip

 Expected Behaviour:

 * wp-personal-data-file-[hash of email]-[random].zip

 Note: Would not suggest to use MD5 for hashing, otherwise many emails
 still could be revealed with minimal effort similar to
 [https://wordpressexpose.chrisgherbert.com/ Gravatar user emails].

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44197>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list