[wp-trac] [WordPress Trac] #45318: Security problem: Login Oracle

WordPress Trac noreply at wordpress.org
Sun Nov 11 11:32:13 UTC 2018 

#45318: Security problem: Login Oracle
--------------------------+------------------------
 Reporter:  d0rkpress     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:
 Severity:  normal        |  Resolution:  duplicate
 Keywords:                |     Focuses:
--------------------------+------------------------

Comment (by d0rkpress):

 > Even if we changed our position and began considering usernames to be
 private information, changing the messaging on the login form alone does
 nothing.

 ??? It removes one possibility -- in security speak one attack vector.

 Two reasons for this: There's a percentage of attackers who might not know
 about the other ways to retrieve usernames. Or, more importantly, the
 other ones are closed for an attacker because they are measures in place
 to protect them.

 So from the security standpoint this is a lame excuse.

 > It would require restructuring author archive permalinks, breaking
 changes to the REST API, educating theme developers to not use the
 username in CSS classes, etc.

 Don't know what you are referring to, but changing the failed login
 message to what is standard since 15 years doesn't involve a change like
 this. There's a diff attached to the 12 year old ticket and my guess
 without looking at the code today is that it is no big change as you
 indicated.

 > But this has all been discussed many times across a bunch of tickets. If
 you have more to add to the conversation, you can continue the discussion
 on this ticket without reopening it.

 I got that and it doesn't make sense to repeat it over and over to me. It
 seems to me like an excuse that you even don't want to think about it as
 it requires to leave your comfortable position. Do really you understand
 the security problem here? Do you acknowledge it? Do you want to think
 about addressing it somehow in the future?

 Insisting on your paradigm doesn't reflect my reality. I do not have good
 statistics but from the like 10 installations I personally know the
 operators from, zero want to have the usernames public. And they use every
 means to keep it that way. This is because they know the math, see my
 previous post.

 So if you are really willing to think about the possibilities closing the
 other security loopholes I am sure that they will be ways to protect the
 retrieval of user information per default -- at least for those who want
 to.


 Independent on those loopholes: changing the login message to not leak
 usernames is a no-brainer.

 Please fix that.

 https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Incorrect_Response_Examples
 https://nvd.nist.gov/800-53/Rev4/control/SI-11
 https://cwe.mitre.org/data/definitions/210.html

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45318#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list