Opened 5 months ago
Last modified 5 months ago
#63927 new enhancement
Send email notification when an application password is added
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Application Passwords | Keywords: | has-patch |
| Focuses: | Cc: |
Description
When the account password or email address of a user is changed (either by the user themselves or by an administrator) an email gets sent to the email address of the user informing them of the change. This email helps prevent a user account takeover from going unnoticed.
No such email is sent when an application password is added to a user's account. An application password is almost as privileged as the user's main password as it can be used to perform actions via the REST API, even though it can't be used to log in to wp-admin.
An email should be sent to the user when an application password is added to their account. If the creation of the application password is unexpected then this informs the user about it.
Web services such as GitHub send an email to a user informing them about newly granted access to their account for third party apps. The wording of the email sent by WordPress could be similar, framing it as an app now having access via a newly created application password. One important difference is that the name of the application password is controlled by the user adding the password, unlike services where a third party app is prohibited from using a name that might imply that it's a first party connection. If an attacker adds an application password with the name "WordPress" or the name of the site itself, it would be confusing for the user to receive an email which says "WordPress now has access to your user account".
That's a long way of saying that we need to be careful of how this email is phrased.
Change History (4)
This ticket was mentioned in PR #9795 on WordPress/wordpress-develop by @prasadkarmalkar.
5 months ago
#2
- Keywords has-patch added; needs-patch removed
This pull request enhances WordPress security by notifying users via email whenever a new application password is added to their account.
- Sends an email to the user’s registered email address immediately after an application password is created.
- The email includes the name of the application password and site details, and advises the user to review their account if the creation was unexpected.
Trac ticket: https://core.trac.wordpress.org/ticket/63927
#3
@
5 months ago
Hi team,
I’ve created a PR to send an email notification to the user when an application password is created. Please review and let me know if any changes are needed in the email structure.
@prasadkarmalkar commented on PR #9795:
5 months ago
#4
Hi @johnbillion, Thanks for the suggestions. I have updated the code as per the requested changes.
+1 to this idea.