[wp-trac] [WordPress Trac] #52998: Logic error leads to account takeover

WordPress Trac noreply at wordpress.org
Thu Apr 8 05:01:21 UTC 2021 

#52998: Logic error leads to account takeover
------------------------------------+------------------------
 Reporter:  eslam3kl                |       Owner:  (none)
     Type:  defect (bug)            |      Status:  closed
 Priority:  normal                  |   Milestone:
Component:  Login and Registration  |     Version:
 Severity:  normal                  |  Resolution:  duplicate
 Keywords:                          |     Focuses:
------------------------------------+------------------------
Changes (by peterwilsoncc):

 * status:  new => closed
 * focuses:  ui, template, coding-standards =>
 * severity:  major => normal
 * component:  General => Login and Registration
 * milestone:  Awaiting Review =>
 * keywords:  needs-dev-note =>
 * resolution:   => duplicate


Comment:

 Just noting this has been previously reported a few times, most recently
 in #40667 and #45318.

 As stated in the [https://make.wordpress.org/core/handbook/testing
 /reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-
 user-ids-not-a-security-issue Reporting Security Vulnerabilities] handbook
 article, WordPress doesn't consider usernames (and by extension, the
 existence of accounts) to be private. A similar thing can be achieved just
 by browsing the `/author/{slug}` views.

 WordPress needs to balance user friendliness with information disclosure
 and as [https://halfelf.org/2014/username-secret/ usernames are not
 considered private information], user friendliness wins here.

 I would, however, like to thank you for reaching out privately prior to
 logging this ticket. It is greatly appreciated that you followed the path
 of reporting to HackerOne prior to submitting a ticket here.

 When discussing rate limiting unsuccessful plugins in the past, it's been
 determined this is best left to plugins rather than be included in
 WordPress Core. There are a number of plugins in the WordPress plugin
 repository that include rate limiting, the most popular been Jetpack which
 includes it as a feature. See #24193.

 Also related: #3708, #4290, #5301, #12129, #22421, #27125, #31787, #40667,
 #50254.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52998#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list