WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#32430 closed task (blessed) (fixed)

Users should be notified of password/e-mail changes

Reported by: markjaquith Owned by: markjaquith
Milestone: 4.3 Priority: normal
Severity: normal Version:
Component: Security Keywords: close
Focuses: Cc:

Description

We should avoid silent account compromises be notifying users when their password or e-mail address is changed.

Attachments (9)

32430.rmarks.patch (2.8 KB) - added by RMarks 3 years ago.
First draft of password notice to user.
32430.diff (5.1 KB) - added by MikeHansenMe 3 years ago.
send similar email to original email if email is changed
32430.2.diff (4.0 KB) - added by markjaquith 3 years ago.
32430.4.diff (6.9 KB) - added by tharsheblows 3 years ago.
filter wp_mail params and send email
32430.3.diff (6.8 KB) - added by markjaquith 3 years ago.
cleaned up
32430.5.diff (6.8 KB) - added by obenland 3 years ago.
Makes sure $send_email_change_email and $send_pass_change_email are set.
32430.6.diff (7.1 KB) - added by tharsheblows 3 years ago.
pass users arrays through send email filter too & update inline docs
32430.7.diff (7.3 KB) - added by markjaquith 3 years ago.
32430.filters.diff (1.7 KB) - added by johnbillion 3 years ago.

Download all attachments as: .zip

Change History (37)

This ticket was mentioned in Slack in #core-passwords by mark. View the logs.


3 years ago

@RMarks
3 years ago

First draft of password notice to user.

This ticket was mentioned in Slack in #core-passwords by rmarks. View the logs.


3 years ago

#3 @MikeHansenMe
3 years ago

@rmarks this is good. I think we will have a few people want to alter the wording a bit but otherwise, I think it is good.

This ticket was mentioned in Slack in #core by mark. View the logs.


3 years ago

This ticket was mentioned in Slack in #core-passwords by mark. View the logs.


3 years ago

#6 @markjaquith
3 years ago

We need to send this (or a version of this) out for e-mail changes as well.

@MikeHansenMe
3 years ago

send similar email to original email if email is changed

@markjaquith
3 years ago

#7 @markjaquith
3 years ago

The password change notification wasn't working, because it was added to the lost/reset portion of the code. I moved it to wp_update_user(). Reworded it a little bit.

This ticket was mentioned in Slack in #core by mark. View the logs.


3 years ago

#9 @markjaquith
3 years ago

  • Keywords has-patch needs-testing added

#10 @tharsheblows
3 years ago

I've changed it slightly to modify the filters a bit so it's possible to disable the emails and filter all of the wp_mail params.

Eg use cases: send only one email if both password and email modified, disable send if user on email server blacklist, give a notice if the new email address is blocked similarly.

@tharsheblows
3 years ago

filter wp_mail params and send email

@markjaquith
3 years ago

cleaned up

@obenland
3 years ago

Makes sure $send_email_change_email and $send_pass_change_email are set.

#11 @obenland
3 years ago

The above comment is actually not true, it just avoids the warning/notice when they're not set.

@tharsheblows
3 years ago

pass users arrays through send email filter too & update inline docs

@markjaquith
3 years ago

#12 @markjaquith
3 years ago

  • Owner set to markjaquith
  • Resolution set to fixed
  • Status changed from new to closed

In 32820:

Send emails when a user's email address or password is changed.

  • In case of email change, email goes to the OLD address
  • Prevents against issues where an account is compromised (say via cookie interception) and then the attacker silently takes over ownership via pw/email changes — now there will at least be a record that something is up

fixes #32430
props RMarks, MikeHansenMe, tharsheblows, obenland

#13 @johnbillion
3 years ago

  • Keywords 2nd-opinion added; has-patch needs-testing removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

I think some improvements can be made to the text in these emails.

  1. The "Notice of Password Change" and "Notice of Email Change" subject lines sound a bit clunky. A better phrase would be something like "Email Changed" or "Your email address has been changed".
  2. The phrase "If you did not change your password, please contact the Site Administrator at ###ADMIN_EMAIL###" does not make any sense if I am the only user on the site, or if I am the site administrator. How about some logic to only include this line when appropriate? ("Site Administrator" probably shouldn't be capitalised either.)
  3. The "Regards, All at ###SITENAME###" signature is indeed similar to the signature that's present in other emails that get sent out, but again it's not appropriate if I'm the only user on the site. Seeing as this is an automated security information email, and does not actually include the regards of anyone, I think this can be dropped. Maybe just leave the site URL in the signature.

#14 follow-up: @johnbillion
3 years ago

  • Keywords has-patch added

32430.filters.diff improves the newly added filter docs and changes the name of the send_pass_change_email filter to send_password_change_email.

#15 @tharsheblows
3 years ago

  1. Looking at the limited sample of emails I've received, "Email Address Change" seems to be most often used - it should be short enough to make sense when looking at a phone's inbox.
  1. I'd send the same emails to everyone. Seeing the exact email everyone else is getting is useful and to test user or role dependent emails it's necessary to make a new account. It'd be nice not to have to do that here as this is such a basic feature. It's also a bit of a double check on the admin email address - as this isn't tied to a user, it can be easy to forget to update it when updating your email address if you're the site administrator (or that might just be me...). Agree that changing the capitalisation would be good.

#16 @boonebgorges
3 years ago

In 32838:

When updating a user, only send email-change notification if email address is passed.

The notification, introduced in [32380], was firing incorrectly (and throwing
a PHP notice) when wp_update_user() was called without including 'user_email'
in the update data.

Props imath.
Fixes #32684. See #32430.

#17 @johnbillion
3 years ago

Another issue: a password change notification email will be sent out if a password is specified when adding a new user.

#18 @MikeHansenMe
3 years ago

I will take a look at this today and get the specified password worked out.

Version 0, edited 3 years ago by MikeHansenMe (next)

#19 @MikeHansenMe
3 years ago

Looked into this and chatted with @johnbillion and it does not send the password notification email on new user creation.

#20 @ocean90
3 years ago

In 32897:

Use 3-digit x.x.x style for 4.3.0 @since versions.

see #32335, #32430.

#21 @obenland
3 years ago

  • Keywords needs-patch added; has-patch removed

@MikeHansenMe could you create a patch to address these issues?

#22 @obenland
3 years ago

@MikeHansenMe any news here?

#23 @MikeHansenMe
3 years ago

  • Keywords close added; 2nd-opinion needs-patch removed

Just chatted with @obenland about this. It not sending the email is expected because the password was specified. Based on sending reset links instead of plain text passwords, this is expected behavior. I think we are all done here based on the original intent of the ticket.

#24 @obenland
3 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

#25 in reply to: ↑ 14 @TobiasBg
3 years ago

Replying to johnbillion:

32430.filters.diff improves the newly added filter docs and changes the name of the send_pass_change_email filter to send_password_change_email.

Can the main idea of this patch get a second look? The current name send_pass_change_email is just terrible.

This ticket was mentioned in Slack in #core-passwords by obenland. View the logs.


3 years ago

#27 @markjaquith
3 years ago

In 33486:

Change send_pass_change_email to send_password_change_email (better name).

see #32430

#28 @swissspidy
3 years ago

#16470 was marked as a duplicate.

Note: See TracTickets for help on using tickets.