Serious email spam issue for Irish Wordpress blogs.
January 6th, 2007 by Jason Roe. Post is filed under Business, Web Design & Development.
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
After doing a bit of research on Wordpress blog security I stumbled upon a wordpress Ticket #3142. This ticket describes an issue where every registered user that has logged into our blog can spy on the metadata of all other users by typing in a simple URL (This is after they sign up and activating an account). One comment said “I believe this affects 2.0.4 and 2.1″, This basically means versions before ver 2.0.5.
So what does this really mean for your wordpress blogs?
Your blog meta data includes all of the e-mail address of every registered user & also ever person who has commented on your blog (if public registration is enabled). This has a potential to cause huge privacy concerns relating to email addresses. A Smart email spammer could latch onto this exploit and spider your blog and all of your users email accounts.
After doing a bit of Google magic I found over 819 Irish blogs and over 292,000 other blogs with the potential to be affected by this problem. Out of the 5 high-profile Irish blogs that I tested, all of them seemed to be vulnerable.
So how do I fix this problem?
There are some blogs that don’t seem to be included in this group. All of them have public registration disabled. So a quick fix would be to disable registration and jump over to Ticket #3142 and get the patch ASAP. And after all that I even got a free go in a Dublin Chauffeur Company.
DIGG THIS STORY NOW!
If you enjoyed this post, make sure you subscribe to my RSS feed!
January 6th, 2007 at 2:10 pm
[...] Jason has blogged about a Wordpress security issue which allows people to get the emails of all posters and event people who leave comments. Disabling public registration seems to fix it but see Jason’s blog for more. blogs ireland irish irishblogs security wordpress [...]
January 6th, 2007 at 2:26 pm
[...] Wordpress Security Hole Written on January 6th, 2007 by michele Jason spotted a very serious security issue in Wordpress that does’t seem to have been addressed properly even though it was reported back in September of last year. [...]
January 6th, 2007 at 2:35 pm
[...] Wordpress Security Problem Serious email spam issue for Irish Wordpress blogs. - Business. Jason Roe - Web design, Development, SEO Advice __________________ Armchair.ie | work|Blog Tips|Seo tips|EU Domain ScandalTechie Toys| Gadgets Do you want your vbulletin site to be search engine friendly? Click here for info [...]
January 6th, 2007 at 5:55 pm
Oh dear - I’ve just found out about this via Damien Mulley’s blog. We get a fair few of spammy comments on our blog, so this could be an issue for us.
I’m a complete non-techy person, however - is there a way to explain the fix for this in layman’s terms for a computer-illiterate like myself?
Many thanks!
January 6th, 2007 at 6:19 pm
[...] Minor Wordpress vulnerability confirmed Thanks to Jason for the heads-up - it seems that my Wordpress 2.0 blogs are vulnerable to the exploit listed in Wordpress issue #3142, but the effect is relatively minor. Every logged in user can spy out the metadata of all other users by typing in the URL /wp-admin/user-edit.php?user_id=XXX irrespective if he has the right to do this or not. If not in fact there will be shown the error message “You do not have permission to edit this user.” but after that message the complete form with all data will also be shown. [...]
January 8th, 2007 at 5:21 pm
WordPress: Are your user’s email addresses secure?…
Jason Roe has pointed out a potential security issue for Wordpress which I picked up on via boards.ie.
The issue can allow someone to scrape email addresses and other contact details from a wordpress site that allows user registration on it.
In the gra…
January 15th, 2007 at 10:49 pm
[...] Quick fix is to disable trackback until the patch is issued by wordpress. This is kinda similar to my other post about wordpress security. See pick below: [...]
January 16th, 2007 at 1:34 am
Is this when you realized how easy it was to hack wordpress blogs?
January 16th, 2007 at 1:42 am
I just found a bug while doing research on security. It had been fixed by the time I made the post.
January 16th, 2007 at 10:20 am
[...] I guess this might be understandable just after I only highlighting an issue with wordpress last week! However, this was more of a heads up than a Tutorial how to exploit the issue. People keep putting 2 + 2 together and making 5 [...]
January 16th, 2007 at 10:57 pm
[...] Huge Wordpress Security Issue [...]
January 17th, 2007 at 1:02 am
“Your blog meta data includes all of the e-mail address of every user & also ever person who has commented on your blog.”
This sentence is incorrect. I’m not registering on your blog to make this comment, therefore I don’t have a user ID. If you had registration open on your blog, an option which is off by default, and if I registered on your blog with a legitimate email address and went through the activation process, and if you were running a version older than 2.0.5, which was released about 3 months ago.
I totally agree that people on older versions should upgrade, or at the very least turn off the “anyone can register” option.
January 17th, 2007 at 8:29 am
Hi Matt, Thanks for popping by. This comment was based on my adventures inside my own blogs, so as you said it may not be the case for everyone.
However, while looking at this issue on other blogs I noted that I could view 900 odd users.. These users closely related to comments posted. As far as I was aware, there was no real reason for the sites to have this enabled in the first place. The other strange thing is that there was no link for the users to register without manually entering a url. So how did these guys get accounts?
I will test it again on another blog of mine with a standard 2.0.5 pre-patched install.
January 18th, 2007 at 10:47 pm
I made some revisions to the post to clear up what I was trying to say. I agree with matt, there was a bit more to this than some of the newer exploits. People on older versions should always upgrade (in an ideal world).
May 12th, 2008 at 10:05 am
Thanks for the advice and well done on making the discovery