WordPress.org

Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#44197 new defect (bug)

ZIP file containing a user’s personal data has user’s personal data in filename

Reported by: Ov3rfly Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: gdpr
Focuses: Cc:

Description

Example from wp-content/uploads/wp-personal-data-exports/

  • wp-personal-data-file-info-at-example-com-1RwxnSYi7z...SZGjD6shoOc.zip

The email info@example.com can be clearly identified within the filename.

Hosting providers worldwide: Work literally day & night to provide anonymization of personal user data like IP address in access logs etc. for gdpr-compliance.

WordPress in a core privacy feature: HMB, let's put personal user data in a filename for personal user data.

Why this isn't a good idea in terms of gdpr and otherwise, incomplete list:

  • While user email usually can be seen only in server database, now it can be seen in server filesystem
  • During download the filename is stored in access logs of the server and ..
  • .. in load balancer and firewall logs
  • .. in proxy server logs
  • .. in automated virus checking logs on proxy servers
  • .. in automated virus checking logs on client
  • .. in client browser history
  • .. in client filesystem
  • .. in client cloud backups
  • ..
  • After download has expired and user tries to re-download using the expired link ..
  • .. the normal WordPress 404 page is triggered and the filename ends up ..
  • .. in logs and/or storage of 404 handling plugins
  • .. in trackers like Google Analytics or similar
  • .. in referer logs of any third party content on 404 page
  • .. in page url accessable to third party content on 404 page
  • ..

Current Behaviour:

  • wp-personal-data-file-[email]-[random].zip

Expected Behaviour:

  • wp-personal-data-file-[hash of email]-[random].zip

Note: Would not suggest to use MD5 for hashing, otherwise many emails still could be revealed with minimal effort similar to Gravatar user emails.

Attachments (1)

request-hover.PNG (14.2 KB) - added by Clorith 4 weeks ago.

Download all attachments as: .zip

Change History (7)

#1 @allendav
4 weeks ago

Your point is well taken. The email address was included in the filename to help administrators avoid incorrectly picking the wrong file if they needed to use the download flow (instead of the email flow) to send the user their data (e.g. if they needed to combine it with exported data from a non-participating plugin.)

#2 @allendav
4 weeks ago

The hash of email is interesting, but would raise the possibility of the admin choosing the wrong file to send to a user (which would be bad).

Perhaps there is another way we could help administrators not confuse multiple exports?

#3 follow-up: @Clorith
4 weeks ago

The export screen does provide a Download personal data link once it's been generated, that would be sufficient if we surface it better, perhaps adding it as a button to the action side of the screen?

#4 @allendav
4 weeks ago

Another idea: Don't send a direct link to the user in their email at all, but a link which kicks off a download of the export file. The link should include a nonce. That way we could perhaps continue to use the email address in the filename served to the administrator?

#5 in reply to: ↑ 3 @allendav
4 weeks ago

Replying to Clorith:

The export screen does provide a Download personal data link once it's been generated, that would be sufficient if we surface it better, perhaps adding it as a button to the action side of the screen?

I'm sorry Clorith - I don't follow. Could you elaborate?

@Clorith
4 weeks ago

#6 @Clorith
4 weeks ago

In request-hover.PNG I'm hovering over a request, and being presented wit ha download link under the requesting email, we could surface that on the right side, that would mean a hashed filename isn't blocking any manual procedure you might foresee.

Note: See TracTickets for help on using tickets.