[wp-trac] [WordPress Trac] #45318: Security problem: Login Oracle
WordPress Trac
noreply at wordpress.org
Fri Nov 9 15:26:27 UTC 2018
#45318: Security problem: Login Oracle
--------------------------+------------------------------
Reporter: d0rkpress | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.9.8
Severity: major | Resolution:
Keywords: close | Focuses:
--------------------------+------------------------------
Comment (by d0rkpress):
Thanks .
If you're interested in making Wordpress more secure you should follow
security best practices and arrive in 2018. I am doing pentests for an
eternity and everybody since a long time gets slapped (not literally) who
does not meet such a basic security requirement. It's to my statistics
reaaaally seldom the past years I see such a login message.
To cite the link from Half-Elf:
"WordPress is not alone in thinking your username isn’t a secret. Drupal
also thinks disclosure of usernames/id is not a security risk. "
What a -- sorry -- stupid excuse. Only because my neighbor does something
which sounds for an average person absurd, I should give up thinking and
just do the same?? Please use your own intelligence and don't rely on
others.
"In fact, Google doesn’t think your ID is a secret"
Yes but
A) They have not really choice as their services are bound to the e-mail
address. You do!
B) Go ahead and try to brute force a login at Google. You won't be able to
do so. Google (as Twitter and others) have arrived in 2018 and do a great
job of fraud detection or ant-automation measures on authentication
functions. Out of the box Wordpress doesn't come with those things.
C) For Google services it's even a no-brainer to switch on MFA. For
Wordpress out of the box I do not even have a choice.
So, please stop this nonsense comparisons.
"user friendliness wins here.". As said, it's 2018. People use browsers
which store usernames or have external password management systems which
could include usernames. There is no advantage to signal those things with
a verbose error message like this to an average user. There might be one
to people starting using the computer a year ago but if that is the
audience where you adjust your security posture to: good luck!
WRT HackerOne: This is a bug which doesn't fall in the categories
HackerOne is accepting. But it is a security bug, so the only choice to me
was posting it here. (This is a general question which you might want to
address)
The question to me boils down whether you are willing to take security
seriously in 2018 or not and stick to what was labeled as user friendly 15
years ago.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45318#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list