WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#33759 new defect (bug)

An admin changing an email/password should not generate a notification

Reported by: smerriman Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.3
Component: Users Keywords:
Focuses: Cc:

Description

Branched off from #33504 as requested.

In 4.3, email notifications are now sent to a user whenever their email or password is changed. The reasoning behind the was solely from a security perspective:

so if someone hijacks your browser session and changes these items, you’ll be notified that it happened, and you can take action.

If the person changing the email/password is an admin, this notification does not provide any security benefits or useful information - all is done is mislead/confuse the user.

It does not provide security benefits because an admin has full control of the site and rights to do whatever they want - they could delete every user account on the site and create their own if they wanted to.

It is misleading/confusing because the notification implies this should only be happening if they changed the information themselves: If you did not change your password, please contact the Site Administrator.

A common use-case where an admin is changing the password of a user occurs after a WordPress import - you are prompted to change all imported users' passwords. Other than editing site code to add filters, you can no longer do so without everyone getting an email they won't understand - even if you are setting their passwords to same as their originals.

For these reasons, I suggest altering the code to not send these notifications if the change of email/password was instigated by someone with admin rights.

Attachments (1)

33579.patch (1.3 KB) - added by smerriman 2 years ago.

Download all attachments as: .zip

Change History (4)

#1 @atomicjack
2 years ago

Arguably, it is more secure...

If someone takes over an admin account, and changes account details of other users, the users will be notified, and they will be able to say "hey what's going on here?" and the actual admin may become aware that an admin account has been hijacked, whereas otherwise they may not have been and it may have taken longer.

I would say, keep the notification, but alter the actual wording if an admin account made the change.

#2 @smerriman
2 years ago

Any 'malicious' admin can add filters to the site code before doing so, so I can't see how that provides any security at all. Whereas there is a logical use-case for disabling it by default.

@smerriman
2 years ago

#3 @smerriman
2 years ago

The above patch changes the default values for $send_password_change_email and $send_email_change_email to false for administrators.

As described above, there is not a single benefit, security or otherwise, to sending such emails when it is an administrator instigating the change, while there are certainly downsides.

Note: See TracTickets for help on using tickets.