On the same day that a security searcher released details of a vulnerability in the way WordPress deals with password resets, I too reported a security issue. Well, more of a concern.
For a while I’ve noticed that more and more sites are not telling you, when you do a password reset, if the email you’ve entered is valid or not. They’ll, instead, give you a message along the lines of “if that email is valid, we will send you details on how to reset your password”. That way you can’t use the password reset feature to fish for people’s emails.
But WordPress doesn’t do that. Enter a user name or password and it will tell you if it was valid or not.
Here’s what happens if I try, on my own site, to specify an email that isn’t registered…
I raised this with the Core development team but was told this was a known issue, but that they don’t consider usernames (and by extension, the existence of accounts) to be private. Indeed, you can fish for user names by browsing for /author/{slug} pages.
The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.
Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.Make WordPress Core
But this isn’t just WordPress as Drupal has similar arguments for the same thing.
Now, of course, this is just discussing user names and not passwords but one of the lines above, I believe, indicates the same is felt…
…have done away with usernames in favor of email addresses, which are shared around constantly and freely
So, the suggestion is that email addresses are shared freely. Maybe it’s just me but I don’t, which is why my site uses a contact form and I’m careful who I respond to. Bearing in mind it’s part of the login process of a site, I don’t make it public and that adds an extra layer of security for me. Of course, a good password, and 2FA where available, is critical.
Back to the fact that you can easily fish for user names – does this mean it’s the right thing? Personally, the way WordPress uses these IDs, I think, could be improved. Because it matches your logins elsewhere, you may create a WordPress ID of `MrWankey69` but that doesn’t mean you want it to be the slug for your author page. You can easily choose how you wish your name to appear on the site anyway, so why not keep this ID as something you use in the admin side and a separate ‘slug’ used for author (defaulting to the user’s name, without spacesi)?
As is the case with WordPress, I suspect this couldn’t be achieved because of the need for backwards compatibility – any such update may well change how some people’s sites display author names.
But this isn’t about WordPress per se, after all we’ve seen that Drupal does the same, but the question as to whether to allow free fishing of email addresses and user names is acceptable. When we hear of user data being leaked, it’s often of names, emails, user IDs and addresses, and not always including passwords ii, yet it still remains a concern.
I’d love to hear other people’s views on this subject.