[wp-trac] [WordPress Trac] #45318: Security problem: Login Oracle
WordPress Trac
noreply at wordpress.org
Sun Nov 11 10:28:29 UTC 2018
#45318: Security problem: Login Oracle
--------------------------+------------------------
Reporter: d0rkpress | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: duplicate
Keywords: | Focuses:
--------------------------+------------------------
Changes (by earnjam):
* status: reopened => closed
* resolution: => duplicate
Comment:
Duplicate of #3708.
There are easier ways to scrape and discover usernames than repeatedly
submitting the login form.
Even ''**if**'' we changed our position and began considering usernames to
be private information, changing the messaging on the login form alone
does nothing. It would require restructuring author archive permalinks,
breaking changes to the REST API, educating theme developers to not use
the username in CSS classes, etc.
That's not to say the work required is the reason we aren't changing it,
but just that you're oversimplifying the scope to which usernames are
visible to non-authenticated visitors.
But this has all been discussed many times across a bunch of tickets. If
you have more to add to the conversation, you can continue the discussion
on this ticket without reopening it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45318#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list