[wp-hackers] Rethinking check_admin_referer()

Matt Mullenweg m at mullenweg.com
Wed Apr 19 17:31:38 GMT 2006

Elliotte Harold wrote:
>> Well, it's the same with doors and locks: the chance that someone will
>> exploit my unlocked door is infinitesimal. 
> Only because no one's yet built a robot to quickly scan all doors in the 
> neighborhood to see which are unlocked. The problem's quite a bit more 
> serious for WordPress. :-(

I have never heard of a worm exploiting a distributed application 
through CSRF. It would be pretty difficult, and likely die.

If a worm were created, its best attack vector would be through 
comments. We could blog about it to warn people, since it's mostly a 
social hack education would help the most, and they could also be 
blocked by Akismet. In the event of an emergency, we have plenty of ways 
to contact people: through blogs, through the dashboard, mailing lists, 
and the one-way announcement list.

Social hacks will always be the most successful. The most common false 
false postives on Akismet are the ones asking where the RSS feed is, or 
complimenting the webmaster on their design. Remember the Windows thing 
that would tell people if there was a certain file in their system32 
directory they had spyware/virus, and went over the 20 steps to find and 
remove it?

Anyway, we're off-topic.

Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com

More information about the wp-hackers mailing list