Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 6 weeks ago

#52169 closed defect (bug) (invalid)

REST API - User route security issue

Reported by: rajanit2000's profile rajanit2000 Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.6
Component: REST API Keywords:
Focuses: rest-api Cc:

Description

Hi Team,

I am not sure this is an issue, But someone can guess their usernames (mostly slug).

at least we can hide the slug info in the return JSON values.

https://developer.wordpress.org/wp-json/wp/v2/users

Change History (3)

#1 @oglekler
3 years ago

Hi! Profiles Rosetta sites (WP.org) users are public and searchable. So, it is no point to hide them from API. In case of personal or company site it can be done but it not supposed to be a very useful measure on a big scale.

For tickets related to these sites is separate Trac: https://meta.trac.wordpress.org/

#2 @TimothyBlynJacobs
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @rajanit2000,

Disclosures of usernames is not a security issue. For more info read: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue

Please note, as the checkbox you had to check before creating this ticket indicated, Trac is not the right place to report suspected security vulnerabilities. https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#where-do-i-report-security-issues

#3 @swissspidy
6 weeks ago

#61143 was marked as a duplicate.

Note: See TracTickets for help on using tickets.