Make WordPress Core

Opened 4 years ago

Last modified 3 years ago

#51838 new enhancement

Add first-time user message to application passwords form describing what this form is

Reported by: wfmatt's profile wfmatt Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 5.6
Component: Application Passwords Keywords: needs-patch
Focuses: rest-api Cc:


I think the application passwords form could use a first-time user message detailing what this feature is and what clicking "Yes, I approve of this connection." actually means. The form on its own is a bit short on messaging indicating what it actually is. I think for users bouncing over from a mobile app to this, it probably makes sense since the mobile app has the opportunity to provide the context that the app needs permission in order to work with your site. For someone looking to use social engineering to get users to give up app passwords, sending a user a phishing email with a link to this form and telling them they need to reconnect Jetpack (or insert trusted brand here) to access their account doesn't seem all that malicious. Jetpack users will already be familiar with a connection process and the messaging here is similar enough where it might not raise red flags when it should.

With a full OAuth implementation we would see a list of permissions being granted to this application. Since that's not a part of this feature, full access is granted to the app in question. For administrators, that means the ability to create another admin account or change the password of the existing one which would effectively lead to site takeover. That isn't conveyed anywhere on this page. I think we just need to make users aware of the context in which they should've arrived on this page, and what level of access they are giving this application (and really the application here is a URL, the user needs to determine if they trust the URL).

There's a WP pointer when you navigate to the plugin file editor that functions as a bit of a speedbump and also lets users know there's the potential to break things by using this feature. I think app passwords needs similar treatment.

Change History (5)

#1 @TimothyBlynJacobs
4 years ago

  • Component changed from Login and Registration to App Passwords
  • Milestone changed from Awaiting Review to 5.7

Thanks for the ticket @wfmatt!

Did you have any suggested language in mind?

#2 @wfmatt
4 years ago

How does something like this sound for an administrator account?

Hold Up!
Application passwords are a feature that allows third party applications and services to interact with your site on your behalf. They have the same level of access to your site as you do. As an administrator, they can create and modify user accounts, posts, pages, and settings. Be sure to only approve of connections that you have explicitly initiated from an application or service that you are currently using. Unsolicited connection requests may be an attempt to hijack your account.

I think we could probably leave out the "As an administrator" section for other user roles, or delve into specifics for each role.

#3 @hedgefield
4 years ago

This is a good suggestion! It would go nicely with the idea floating in about making app passwords a separate page, then there's more room to provide important guidance like this. But wherever it ends up I think it'll make a nice addition.

This ticket was mentioned in Slack in #core by lukecarbis. View the logs.

3 years ago

#5 @audrasjb
3 years ago

  • Milestone changed from 5.7 to Future Release

As per today's bug scrub, let's move this ticket to Future release so it can be handled in time for WP 5.8. If we have a patch and unit tests in time for 5.7 beta 1, please feel free to move it back to milestone 5.7.

Note: See TracTickets for help on using tickets.