[wp-hackers] Re: Plugin update & security / privacy

Christian Höltje docwhat+list.wp.hackers at gerf.org
Mon Sep 24 04:49:26 GMT 2007


Okay.  Let's take a look at the situation.

I'm going to recap, please point out errors.

SITUATION:
Currently, 2.3 sends the bloginfo('home'), the plugin name, and the
plugin version # to api.wordpress.blah

The only thing currently being used by api.wordpress.blah is plugin
name and possibly the version number (but just for a simple string
check?).

However, having the server doing a version number check is actually
powerful because the plugins have version numbers all over the place
and api.wordpress.blah could actually track the chronological order to
figure out what's newer than what.

The URL currently servers no purpose.  It could possibly do something
in the future, but I'm not clear what.

IMPACT:
The ACTUAL ability for a cracker to break into your blog is not
increased at all by collecting this information, assuming it was
somehow made available to malicious people.

However, the ability for a hacker to get a nice list of people who
haven't upgraded to the latest security fixed plugin foo is increased
by this.  Which makes api.wordpress.blah a seductive target.

There is also the perceived security risk, which is unrelated to the
actual security risk.  As we can see just from the very limited
audience on this mailing list, the perception is that there is an
increased risk for blog owners.

There is a reputation or privacy risk as well.  The plugins
that a blog runs may or may not be detectable externally.  However, it
is the blog owner's choice to advertise what plugins they have.

Finally, there is perception of a privacy invasion.  Again, from just
this limited audience we can see that there are privacy concerns.

SUGGESTIONS:
I would suggest that this feature be off initially.  It can be turned
on by the admin if they wish.  It should not send a URL, though I
think generating and storing some sort of UUID, and using that instead
of the blog URL is probably the best compromise.

CLOSING NOTES:
I want to point out that there has been a thread about a collecting
wordpress statistics. It overlaps a lot of the concerns for this
feature.  It was never proposed that this feature would be anything
other than opt-in.

Ciao!

-- 
He's turned his life around. He used to be depressed and miserable. Now he's miserable and depressed.
        -- David Frost

The Doctor What: Kaboom!                         http://docwhat.gerf.org/
docwhat *at* gerf *dot* org                                        KF6VNC


More information about the wp-hackers mailing list