#52169 closed defect (bug) (invalid)
REST API - User route security issue
Reported by: | rajanit2000 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.6 |
Component: | REST API | Keywords: | |
Focuses: | rest-api | Cc: |
Description
Hi Team,
I am not sure this is an issue, But someone can guess their usernames (mostly slug).
at least we can hide the slug info in the return JSON values.
Change History (3)
#2
@
4 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
Hi @rajanit2000,
Disclosures of usernames is not a security issue. For more info read: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue
Please note, as the checkbox you had to check before creating this ticket indicated, Trac is not the right place to report suspected security vulnerabilities. https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#where-do-i-report-security-issues
Note: See
TracTickets for help on using
tickets.
Hi! Profiles Rosetta sites (WP.org) users are public and searchable. So, it is no point to hide them from API. In case of personal or company site it can be done but it not supposed to be a very useful measure on a big scale.
For tickets related to these sites is separate Trac: https://meta.trac.wordpress.org/