[wp-trac] [WordPress Trac] #51838: Add first-time user message to application passwords form describing what this form is

WordPress Trac noreply at wordpress.org
Fri Nov 20 18:20:11 UTC 2020


#51838: Add first-time user message to application passwords form describing what
this form is
------------------------------------+-----------------------------
 Reporter:  wfmatt                  |      Owner:  (none)
     Type:  enhancement             |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:  5.6
 Severity:  normal                  |   Keywords:  needs-patch
  Focuses:  rest-api                |
------------------------------------+-----------------------------
 I think the application passwords form could use a first-time user message
 detailing what this feature is and what clicking "Yes, I approve of this
 connection." actually means. The form on its own is a bit short on
 messaging indicating what it actually is. I think for users bouncing over
 from a mobile app to this, it probably makes sense since the mobile app
 has the opportunity to provide the context that the app needs permission
 in order to work with your site. For someone looking to use social
 engineering to get users to give up app passwords, sending a user a
 phishing email with a link to this form and telling them they need to
 reconnect Jetpack (or insert trusted brand here) to access their account
 doesn't seem all that malicious. Jetpack users will already be familiar
 with a connection process and the messaging here is similar enough where
 it might not raise red flags when it should.

 With a full OAuth implementation we would see a list of permissions being
 granted to this application. Since that's not a part of this feature, full
 access is granted to the app in question. For administrators, that means
 the ability to create another admin account or change the password of the
 existing one which would effectively lead to site takeover. That isn't
 conveyed anywhere on this page. I think we just need to make users aware
 of the context in which they should've arrived on this page, and what
 level of access they are giving this application (and really the
 application here is a URL, the user needs to determine if they trust the
 URL).

 There's a WP pointer when you navigate to the plugin file editor that
 functions as a bit of a speedbump and also lets users know there's the
 potential to break things by using this feature. I think app passwords
 needs similar treatment.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51838>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list